CyberheistNews Vol 6 #39 Scam Of The Week: Apple Store Phishing Attack Goes For Whole Enchilada

CyberHeist News CyberheistNews Vol 6 #39
Scam Of The Week: Apple Store Phishing Attack Goes For Whole Enchilada
Stu Sjouwerman

Phishing attacks using false Apple Store email messages, fake landing pages and sometimes fake login pages are still a very popular attack vector. They still make it through all the filters, as witnessed by the hundreds we get every day that are reported by employees of our customers' users that use our Phish Alert Button.

This one is particularly pernicious because apart from a well-crafted initial phishing email, the landing page is going for the whole enchilada. As we have mentioned here before, the bad guys in Eastern Europe use the UK as their beta test and when all the bugs are ironed out, the attack gets unleashed in the U.S. so regard this as a heads-up please.

Apple Store Refund Request Phishing Email

The "refund request" page imitates the Apple "look" and asks not only for the full address information but also the credit card data, and makes sure you notice that "Apple is committed to protecting your privacy". Yeah, sure.

The bad guys are pros in their field, with attention to detail. They even have little question marks you can click on that are very helpful explaining what you need to fill out in the field so they can fully steal your credit card data.

The fact that these attacks still make it through quite a few different filters shows that it is a continuous process to keep users on their toes with security top of mind, whether it is at the house or in the office.

I suggest you take the following, you're welcome to copy/paste/edit and send the Scam Of The Week to your employees, friends and family:

"A new Phishing attack is using a very realistic-looking Apple App Store message to trick you into trying to prevent getting charged for something you did not buy. This attack may make it through all the spam filters into your inbox so you need to be alert for this scam.

This phishing attack tries to make you fill out a page with your full address and credit card information so that you "will not get charged". If you or a family member would fall for this trick though, it is highly likely that your credit card would get fraudulently charged quickly.

Remember to never click on links in emails to go to a vendor's website. Always use your browser and either type in the address of the company or use a bookmark you have set yourself earlier. And while we are at it, never just open an email attachment you did not ask for. Let's stay safe out there and Think Before You Click!"

"State-Sponsored Actor" Is The New "The Dog Ate My Homework"

Our friend and mega-white-hat hacker Dave Kennedy hit the nail on the head with his quote: "'State-sponsored actor' has become a proxy for 'unstoppable hacker', a rhetorical get out of jail free card that usually doesn't apply."

Dave is totally right. Often state-sponsored hackers get into their target network simply with well-crafted phishing attacks, either with a malicious link or an infected attackment (yeah that was meant to be spelled that way). It is suspected that the Yahoo 500 Million account MegaHack also started like that.

For people in the know, it's amazing to see that some organizations are still not deploying new-school security awareness training that combines on-demand computer-based training with frequent simulated phishing attacks. Without a security layer like that, getting into a network is as easy as taking candy from a baby, and all black-hat hackers admit as much.

2016 now has well over 1 Billion breached records. Just a few days ago before the Yahoo hack, this year was on pace to outstrip last year's numbers by as much as 56%, according to findings released by Breach Level Index (BLI) that kept track of 707,509,815 records breached in all of 2015.

BLI shows that the count just keeps going up as organizations of all stripes continue to lose PII. In the first half of this year, 554,454,942 records were breached in 974 publicly reported incidents. That's a loss of over 3 million records per day by public and private organizations. Add the 500M Yahoo hack to that and we're up in the stratosphere for 2016.

Q: Why are there not even *more* devastating data breaches? A: There is a shortage of skilled enemy hackers.

Phishing Volume Skyrockets Thanks To Ransomware And Trojans

You all know that the spam/phishing percentage of total email varies over the years. The last 5 years it has been relatively calm. But at the moment, the volume is back at a peak level and Cicso's Talos Labs said it's a simple matter of economics.

Cyber mafias are now running campaigns that infect workstations with banking Trojans and ransomware that provide a fast ROI, so they can afford the increased overhead of high-volume spam campaigns largely driven by the Necurs botnet.

Here Are Two Examples:

1) New Version of iSpy Trojan Steals Your Software Licenses

Earlier this year we talked about Jsocket, a highly malicious Trojan that we spotted being delivered through phishing emails shared with us via the Phish Alert Button (PAB).

Although ransomware has been grabbing the majority of security-related headlines, malicious RATs and Trojans like Jsocket (and its evil cousins Adwind and AlienSpy) remain an important part of the online threat landscape, allowing malicious actors to monetize compromised systems and networks in a variety of ways.

This new version also steals your software licenses aside from everything else they can get their hands on. Blog post with all details here:

2) Price Discrimination: The Fantom Menace of Ransomware

This is an article by Eric Howes, KnowBe4 Principal Lab Researcher.

Over the past few months we've discussed the rising use of price discrimination among purveyors of ransomware to maximize their returns on ransomware campaigns. Instead of using poorly targeted "spray-and-pray" campaigns that extract a uniform toll (one or two bitcoins) from a random and diverse collection of victims, the bad guys are increasingly using more targeted campaigns that match the ransom demands with the victims' ability and willingness to pay.

One way the bad guys have incorporated price discrimination into their standard game is the use of backdoor Trojans, sophisticated keyloggers, and full-blown RATs to reconnoiter potential marks and gather data about their business operations and finances. If they determine your organization is flush with cash or is uniquely sensitive to downtime or other disruptions in service, you can expect to pay more. Much, much more. Story at our blog:

For the background of all this, read the Cisco Talos blog post:

And if you want a quick update of the week in ransomware, check out Larry Abrams blog over at bleepingcomputer:

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"To know what people really think, pay regard to what they do, rather than what they say."- George Santayana - Philosopher

"I would rather belong to a poor nation that was free than to a rich nation that had ceased to be in love with liberty."- Woodrow Wilson - US President

Thanks for reading CyberheistNews

Security News
Don't Make These Two Major Multi-Factor Security Mistakes

An employee sent this recent horror story to me (thanks Rachel). Remember there are three ways of learning. :-D

  1. Read it in a book, blog (or training session) understand it and apply it successfully in life.
  2. See other people do it and learn that way by following their example.
  3. Pee on the electrified fence...

Here is a #3 story.

Someone who had spent 10 years creating a YouTube channel with 3.5 million subscribers found their channel had been deleted. His PayPal account had been raided. He was locked out of everything, including his smartphone. I'm pretty sure you know where this is going. Everything he had spent 10 years building had been destroyed by a hacker in just a few hours.

Here's the irony of the story

This guy had been changing his passwords regularly, always 20 characters and hard to crack. He never used the same password twice. He even used 2-factor authentication (2FA) to turn his cell phone into a security device. But not only did these steps fail to prevent the hack, using 2FA turned out to be his downfall.


Two-factor (or two-step) authentication requires you *know* something and *have* something, meaning you to have know your password and have your device. But if the second factor is being texted to you, that doesn’t help if a hacker has hijacked your phone.

So, what happened?

The hacker used social engineering to trick Verizon customer service to change the victim's phone number to his own burner phone. That happens more often than you think. Once the Verizon rep did that, the hacker had control over the victim's cell phone and used it to recover and change the password to the victim's email address and once he had that… he had everything.

So, what 2 major MFA mistakes were made?

First, never use a public cell phone number as your MFA device to get codes texted to you. Always only use the Google Authenticator app, which generates a number you can type in.

Second, never use the same email as the recovery address for any important credentials (for instance both YouTube and PayPal). That is enough to cause irrevocable damage by a hacker.

Want to read the whole thing blow-by-blow? Here is the story at Medium. There is a old Dutch expression: " A warned person is worth two". I guess you get the idea...

Bad Guy FAIL! Or, When A Simple Credentials Phish Goes Horribly Wrong

Anyone who works a job in the computer security industry inevitably develops a kind of dark appreciation for the mad skills so often demonstrated by the bad guys. They consistently deliver eye-popping innovation -- even if it's the kind of innovation that regularly causes massive headaches for all the rest of us.

But the bad guys have their off days, too. And when a bad guy operation goes off the rails, you can't help but smile. It's the purest form of schadenfreude.

The Email Account Credentials Phish

The credentials phish is the most common form of phishing email that we encounter. It's simple, straightforward, and it's been around since the very term phishing was itself coined. It's also remarkably successful, fooling inattentive and clueless users time and again.

One particular variant of this most basic phishing attack that we've been seeing a lot over the past six months is what we'll call the "email account credentials phish." In this phish potential marks are told that there is some problem or change with their email account that requires them to take action. Sometimes that action involves opening an attachment. Most often it involves clicking a link.

The beautiful thing about this particular credentials phish is that it allows the bad guys to spoof the target's own IT department or Help Desk. Senior executives might naively assume that company employees would be able to distinguish between emails originating from their own organization's Help Desk and those coming from malicious parties outside the organization.

But we all know such an assumption would be foolish -- indeed, it would be downright dangerous. The "email account credentials phish" is so common that we have several phishing templates available for our customers to use that are based on real bad guy emails that we've seen in the wild. Here are two of them.

But sometimes the bad guys make mistakes and here is what it looks like when a simple credentials phish goes horribly wrong:

Education Now Suffers The Most Ransomware Attacks

Article at DarkReading: "New data shows ransomware rates worldwide doubling and tripling in past 12 months. When you think ransomware victim, most likely your first thought is a hospital. But a new survey of ransomware's spread among different industry sectors shows that education is actually the biggest target right now.

BitSight, which rates the security posture of organizations based on external data showing malicious activity surrounding them, in a new report today found that education is hit most by ransomware attacks, followed by government, healthcare, energy/utilities, retail, and finance.

Bitsight's analysts studied ransomware activity at some 20,000 organizations and found that one in 10 education organizations had been hit with malware on their networks, followed by 6% of government entities; 3.5% of healthcare organizations; 3.4% of energy/utilities; 3.2% of retailers; and 1.5% of financial organizations.

According to BitSight, the rate of ransomware attacks has doubled or tripled among various industries in the past 12 months." More:

Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff

Subscribe To Our Blog

Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews