CyberheistNews Vol 6 #4 Scam Of The Week: Phish With Hidden Sting



As you may have heard, KnowBe4 has released a no-charge Outlook Add-in that allows your employees to report phishing attacks to your Incident Response team with just one click. It's called the Phish Alert button. 

CyberHeist News
Scam Of The Week: Phish With Hidden Sting
Stu Sjouwerman

As you may have heard, KnowBe4 has released a no-charge Outlook Add-in that allows your employees to report phishing attacks to your Incident Response team with just one click. It's called the Phish Alert button.

What you probably didn't know is that system admins have an option to share these phishing emails with KnowBe4's researchers and many do.

We have tens of thousands of our Phish Alert add-ins installed now and our analysis of the reported phishing emails is showing some interesting results.

There is a particular type of phish our research team sees more and more of. This attack plays out as follows:

    1. Employees receive an email with an attachment -- usually PDF or DOC.

    2. Body of the email contains no malicious links and consists only of a social engineering ruse to open the attached doc.

    3. The attached doc is itself not malicious -- i.e., no exploits or malicious macros/scripts. What's visible to the user is a second ruse to click an embedded link in the document.

    4. The link embedded in the doc leads to either an exploit site/page or a fake login page for a recognized service.

These phishes are slipping past AVs and email security apps/appliances because the email body contains nothing obviously malicious and the attachment itself is not malicious in and of itself. AV and email security apps are not scanning the links in the attached docs.

This is something to watch out for, and warn your employees about. I would send them the following, and while you are at it, send it to friends and family as well.

"Bad guys are getting smarter by the month. They now send you emails that your antivirus and spam filters do not catch. It goes like this: The email has an attachment that you are tricked into opening. In the attachment is a link that they try to make you click on. The link goes to a malicious website and will infect your computer.

Do not open attachments you did not ask for. When you get an attachment, verify if that person sent it to you and why. If in doubt, throw it out. Always Think Before You Click.


You can get your own complimentary Phish Alert Outlook Add-in here:
https://info.knowbe4.com/free-phish-alert

CEO Fraud Costs Boeing Vendor 54 Million Dollars

Effective security awareness training for your high-risk employees is becoming a major priority. The accounting team of FACC, who design and manufacture aircraft components for Boeing and Airbus were social engineered to transfer around 54 million dollars to a foreign bank.

They disclosed on their blog that they had become a victim of "a crime act using communication information and information technologies." Other things mentioned were that their board immediately involved the Criminal Investigation Department and engaged a forensic investigation. The cyberattack activities were executed from outside of the company.

They continued with: "The financial accounting department of FACC was the target of cyber fraud. The damage is an outflow of approx. EUR 50 million (U.S. 54M) of liquid funds. The management board has taken immediate structural measures and is evaluating damages and insurance claims.”

Good luck with that. Cyber insurance policies tend not to cover this type of social engineering scam, see the article below. CEO Fraud, also known as Business Email Compromise (BEC) is a highly sophisticated Internet scam that penetrates one or more email accounts of employees in accounting departments, lurks for months and figures out policy and procedures, and then waits until the CEO is out on business travel before the scam kicks into gear. The scams are proportional to regular wire transfers so that the transaction does not raise eyebrows.

C-level employees, especially CEOs and CFOs, have to be aware of the various techniques the scammers are using to trick them into wiring large amounts of money. Effective security awareness training is a must these days.

The KnowBe4 integrated training and simulated phishing platform enables your security team to simulate CEO Fraud attacks and make sure that the accounting team is inoculated against these attacks. More details and links at the KnowBe4 Blog:
https://blog.knowbe4.com/ceo-fraud-costs-boeing-vendor-54-million-dollars

Firm Sues Cyber Insurer Over 480 Thousand
Dollar Loss

Brian Krebs warned of a CEO Fraud case where a Texas manufacturing firm is suing its cyber insurance provider for refusing to cover a 480,000 thousand dollar loss following an email scam that impersonated the firm’s chief executive:

"At issue is a cyber insurance policy issued to Houston-based Ameriforge Group Inc. (doing business as “AFGlobal Corp.“) by Federal Insurance Co., a division of insurance giant Chubb Group. AFGlobal maintains that the policy it held provided coverage for both computer fraud and funds transfer fraud, but that the insurer nevertheless denied a claim filed in May 2014 after scammers impersonating AFGlobal’s CEO convinced the company’s accountant to wire 480,000 thousand dollars to a bank in China.

"According to documents filed with the U.S. District Court in Harris County, Texas, the policy covered up to 3 million dollars, with a 100,000 dollars deductible. The documents indicate that from May 21, 2014 to May 27, 2014, AFGlobal’s director of accounting received a series of emails from someone claiming to be Gean Stalcup, the CEO of AFGlobal."

A link to the whole story is below but the conclusion is already blindingly clear: even if you have cyber insurance, that does not automatically mean you are covered for CEO Fraud where employees get social engineered to wire large amounts of money out of the country. To quote IT Security guru Bruce Schneier: "If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology." More:
http://krebsonsecurity.com/2016/01/firm-sues-cyber-insurer-over-480k-loss/

I Was Interviewed By ABC News About
Malware Infections

I was interviewed by Tampa's ABC News about the massive increase in malware infections in Tampa. Adam Walser visited the KnowBe4 offices and asked why the rate was 842% over the national average. We had some fun discussing the risks of visiting pr0n sites. VIDEO:
https://www.knowbe4.com/knowbe4-in-the-news/

Oh, and a customer sent us this: "We’ve got a few employees wearing Manning jerseys here at the office in Patriots country today. Will we be sending them simulated: 'Breaking news: Peyton Manning found dead from HGH overdose phishing emails'? Yes, yes we will." We were very amused here at KnowBe4.

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"No one has ever made himself great by showing how small someone else is."
- Irvin Himmel

"The price of greatness is responsibility."- Winston Churchill


Thanks for reading CyberheistNews


Security News
Cyber Mafias Target SMB Accounting Departments

A hybrid criminal campaign uses both social engineering and Trojans to wire money out of SMB's bank accounts.

Symantec blogged about profit-driven cybercriminals who have worked hard infiltrating the accounting departments of small and medium businesses in the U.S., U.K., and India. They said the campaign was launched in early 2015.

Around half of the infections associated with this campaign are equally split between the U.S. and the U.K. The cybercriminals don’t target any verticals, they attempt to breach the systems of any type of business.

The attackers use spoofed or stolen email accounts to send out phishing attacks using subjects related to payments and financial inquiries to people known to work in the targeted company’s accounting department. Symantec believes this gang is probably based in Europe or America.

The malicious emails carry one of two remote access Trojans (RATs). Once the malware has infected the workstation, it gives the attackers complete control over the machine.

"The attackers have been observed using the targeted employee’s privileged access to transfer money to an account under their control," Symantec explained in their post. "Once a computer is compromised, the attackers spend time assessing it to find out how to steal the money. In some cases, attackers have been known to even download manuals to figure out how to use certain financial software." More:
http://www.symantec.com/connect/blogs/indian-us-uk-finance-department-employees-targeted-remote-access-trojans

PAYCHEX: 60% Of Hacked SMBs Are Out Of Business 6 Months Later

Paychex wrote a great article about the urgency of creating a cyber security culture in your business. This is excellent ammo to send to your C-level execs:

"Creating a cyber security culture in your business involves more than providing tools like firewalls and virus protection software. Experts uniformly agree that educating employees about the threats of data breaches and cyber theft is a critical step in protecting your company's invaluable data.

But while most small businesses understand the need for a comprehensive data security program, many still believe hackers are only interested in going after big companies, and therefore may not take all the precautions that they should.

In fact, statistics compiled by the National Cyber Security Alliance paint a disturbing portrait of small business vulnerability:

    • Almost 50 percent of small businesses have experienced a cyber attack.
    • More than 70 percent of attacks target small businesses.
    • More than 75 percent of employees leave their computers unsecured.

    • As much as 60 percent of small and medium-sized businesses that experience a data breach go out of business after six months.

A breach or attack can result in a significant loss of income, particularly if the small business involved lacks cyber liability insurance. If news of the breach goes public, the damage to the business's brand may be insurmountable.

Leaving your business data exposed to cyber attacks is simply too great a risk to ignore. The best defensive strategy is creating a cyber security culture in the workplace that greatly tips the odds of success in your favor. They recommend to start with training. See more at:
http://www.paychex.com/articles/human-resources/creating-cyber-security-culture

What’s the Status of Your Information Security Awareness Program?

PivotPoint Security looked at awareness training from the perspective of ISO 27001 compliance, and came up with some interesting observations. I'm quoting a section and you can read the whole post at their blog:

"Here are the five basic classes of security awareness training I’ve encountered, and how they relate to the ISO 27001 guidance:

    • An ISO 27001 compliant program that includes training for current and new employees, along with periodic updates.
    • A security awareness program is in place. All new employees receive training upon being hired, and sign to verify their participation. However, contrary to ISO 27002 control 7.2.2, there is no follow-up training.
    • No formal InfoSec awareness program exists, but “awareness tips” are circulated periodically. Informal training like websites, emailing reminders and tips, or even putting up posters can be effective. But while this approach provides ongoing education, to satisfy an auditor a program that demonstrably aligns with information security policy is required.
    • There’s a security awareness program in place, including training, but it doesn’t include information security. Thus the training is almost certainly not based on the information security policy, if one exists.

    • No security awareness training.

Which of these does your current program resemble? Is the current training you’re conducting (or not) delivering the benefits you’re hoping for? Or could you better reduce information security risk by spending that money in some other way? More:
http://www.pivotpointsecurity.com/blog/5-classes-security-awareness-training/

Dedicated Anti-Ransomware Software Released

A senior security developer friend of ours, who had worked for years on the VIPRE Antivirus product asked me six months ago if I knew something that people needed. He had acquired the WinPatrol product and needed to expand in a new direction. I said something innovative that blocks ransomware would be good. He said OK and a few weeks ago he released WinAntiRansom.

We looked at it and it's pretty good with a minimal footprint. You could run this on critical servers and/or high-risk workstations. WinAntiRansom was independently tested by CruelSister on MalwareTips.com, you can see the results in this video, (they already have a detection for the one they missed;) https://www.youtube.com/watch?v=q2h7SfpVHj8

There is no admin console yet, but they are working on it. Check it out, this might be something:
https://www.winpatrol.com/war/


Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff



Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews