CyberheistNews Vol 6 #4 Scam Of The Week: Your Stolen iPhone Has Been Found

CyberHeist News
Scam Of The Week: Your Stolen iPhone Has
Been Found
Stu Sjouwerman

Between 3 and 4 million smartphones are stolen every year. It's your modern-day purse snatching. Many people put their entire private and work lives on these devices which can cost up to 500 bucks. Losing a device or getting it stolen can feel like a disaster, way beyond just the monetary loss.

Cyber thieves count on this panic and abuse their victims twice in this sophisticated iPhone scam. They count on you wanting to prevent a negative consequence and social engineer you. Nothing is sacred. Here is how this goes down:

  1. Your iPhone get stolen.
  2. You go online and turn on the Find My iPhone Activation Lock.
  3. Shortly afterward you get a message that the phone is found but you need to go to this website and verify your Apple ID. You quickly do this.
  4. Gotcha! It is a spoofed Apple iCloud site and when you enter your credentials, these go straight to the scammers who now own your account and unlock the phone.
  5. You've been social engineered and the thieves will sell the phone. Nothing to do but go to Apple, change your password and set up 2-factor verification for your account but the phone (or iPad) is gone forever.

How can the bad guys do this? Simple -- send an iMessage to the email address that it said it had been locked by, as the default iOS settings mean you can send & receive iMessages to email addresses with an Apple ID.

The problem is the end-user is in a panic and does not notice the spoofed "From" address. I suggest you send your BYOD employees a message like this one. Feel free to copy/paste/edit:

"If you lose your smartphone, or if it gets stolen, make sure you follow the procedures you were given by the organization. Report the loss or theft immediately to the correct person. If you get a message from an address you do not recognize claiming "your phone is found", do not click on anything and do not call any number that the message may give you. Specifically, do not log into any site this message tells you to go to and leave your username and password, because that is likely a spoofed site and they are trying to steal your credentials.

Remember, the bad guys try to trick you when you are worried and manipulate you into doing things against your own interest. Online crooks have no shame in abusing their victims twice to get what they want. Think Before You Click!"

Stepping employees that have BYOD devices through effective security awareness training is a must these days. Find out how affordable this is for your organization and be pleasantly surprised.

CISOs Should Take Security Training Seriously

Doug Drinkwater wrote this great CSO article: "Security awareness training is pivotal to your organization’s information security posture, and, now, it’s more important than ever before.

"In many ways, security awareness training exemplifies the way information security is seen and tackled by senior management.

"A once-a-year, classroom-based approach may be traditional, with security updates and warnings posted on walls and the Intranet, but it is also a sign of a tick-box, compliance-driven approach to security. It is often done to appease industry regulators, PCI and data protection authorities, and the training can offer relatively basic – arguably condescending- advice.

"But times are changing. The threat landscape is growing with the arrival of millions of mobiles and wearables, each with their own IP address, while organized crime and nation-state APT groups are looking at new ways of compromising victims. From exploit kits and Trojans to ransomware, phishing and social engineering scams – the criminal game has moved on."

He could not be more right. I'm quoted in this article and it's great ammo to send to management and get budget:

Don't Miss The February Live Demo: New School Security Awareness Training

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, February 10 at 2:00 p.m. (EST) for a 30-minute live product demonstration of the innovative KnowBe4 Security Awareness Training Platform and see how easy it is to train and phish your users:

    • Send Simulated Phishing tests to your users and get your Phish-prone percentage.
    • Roll out Training Campaigns for all users (or groups) with follow-up emails to “nudge” users who are incomplete on the training.
    • Point-of-failure training auto-enrollment.
    • NEW Phish Alert Button for Outlook so employees can report phishing attacks.

    • NEW Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.

Find out how thousands of organizations have mobilized their end-users as their first line of defense. Register Now:

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"A gentleman is one who puts more into the world than he takes out."
- George Bernard Shaw

"Life shrinks or expands in proportion to one's courage."- Anais Nin

Thanks for reading CyberheistNews

Security News
This Week's Five Most Popular HackBusters Posts

There is an enormous amount of noise in the security space, so how do you know what people really talk about and think is the most important topic? Well, we created the Hackbusters site for that. Hackbusters grabs feeds from hundreds of security sites, blogs and other sources. We track which topics are most liked, shared, retweeted and favored, and we built an algorithm that bubbles up the real hot topics. We tweet when a #1 hot security topic comes up.

Here are this week's five most popular hackbusters posts:

    1. Google Wants to Fly Drones Over Your Head to Deliver High Speed 5G Internet:

    2. Data Privacy Day: Reminding Us of Data Protection:

    3. Hate your cable company? A superfast wireless Internet network is coming:

    4. Death Star expansion confirmed for Star Wars Battlefront:

    5. NSA Hacker Chief Explains How to Keep Him Out of Your System:
Wombat’s "2016 State of the Phish": Attacks, Victims Continue to Rise

Our friends at Wombat released their "2016 State Of The Phish". The report reflects the reality that CISOs, CSOs, and their infosec teams are facing worldwide on a daily basis: phishing and spear phishing attacks are more prevalent — and more dangerous — than ever.

Three key data points from the survey show year-over-year increases related to frequency and susceptibility to attacks:

  • 85% of respondents said they were a victim of a phishing attack (up 13% from the prior report)
  • 67% said they experienced a spear phishing attack (a 22% increase)
  • 60% said they believe the rate of phishing attacks has increased overall

So, what are the ramifications of a successful phishing attack? From our perspective, it’s a question of means and ends; attackers have different means of exploiting their access, just as they have different end games — and those end games have different implications for the organizations targeted. When asked about the technical issues that resulted from successful phishing attacks on their organizations, respondents indicated that they faced the following:

  • 42% Malware infections
  • 22% Compromised accounts
  • 4% Loss of data

Looking beyond the technical side of phishing, we also asked respondents to identify the business impacts associated with successful attacks:

  • 44% complained of lost employees productivity
  • 36% faced consequences related to the loss of proprietary information
  • 20% dealt with damage to their reputation

In general, the report shows that more aggressive social engineering practices are making phishing more difficult to prevent. Case in point, 55% of survey respondents reported experiencing voice phishing (vishing) and/or SMS/text phishing (smishing). Given that email-based attacks are often preceded by information gathering efforts like phone calls, social media trolling, and even in-person reconnaissance, it’s clear that cyber security is a many-faceted thing."

This Week's Ransomware Roundup

I was going to write up all the news and then ran across this article by Senior Editor Sara Peters at Darkreading. Saves me some time! She started out with: "Inventive new variants and damaging attacks swept through the headlines this week." She is so right, and covers:

  • Israeli Electric Authority infected with ransomware
  • Lincolnshire County Council phished and 300 machines down
  • CryptoWall 4.0 sends spoofed SalesForce emails with fake invoices
  • New strain of Android ransomware that poses as a pr0n app
  • The new stupid and destructive 7ev3n ransomware strain wanting 5 grand

Here is the article, recommended reading:

Tripwire came up with literally 22 ways to make sure ransomware does not make it into your systems. Obviously way at the top -- number 4 to be precise -- he states you need to train employees, but there are many other ways to prevent infections. I'm not going to repeat all of them here, it's a good article with some great technical hints and tips:

And while we are talking preventing ransomware tips, here is #23. Malwarebytes just released a Beta of their Anti-Ransomware tool which sounds promising as well. Here is the blog post where they announced it:

More Than A Quarter Of All Malware, Ever, Was Created Last Year

IT Pro Portal observed: "Here’s an interesting story: more than a quarter of all malware, ever, was created last year. Yes, more than a quarter – 27.63 per cent, to be exact. Those are just some of the figures released by security firm PandaLabs, in its 2015 Annual Report.

There are some other interesting figures in here as well: there were 84 million new malware samples detected by the firm this year, meaning 230,000 new malware samples were produced daily over the course of the year.

The number of cyber-attacks recorded over the course of the previous year also broke records – a total of 304 million samples were recorded. These figures, together with a couple of high-profile cyber-breaches we witnessed last year, struck fear into the hearts of large corporations." Read more at:

End-User Security Awareness First Line Of Data Protection Defense

In a series of video interviews from the 2015 ISSA International Conference in Chicago, SearchCompliance editor Ben Cole discussed modern information security strategy with conference speakers and ISSA members. Here, McCarthy discusses information security best practices and why end-user security awareness is the front line of corporate data protection efforts.

He asked: "How can companies make sure their security policies and processes are staying up to date with modern threats?"

McCarthy: It's really about end-user security awareness type of training programs -- doing the pen testing and the phishing type of attacks, and making them aware. It's sort of deputizing your end users so if they see something coming in to your organization that doesn't look right, they are allowed to raise the red flag and not be chastised for doing that. It may be crying wolf -- but I'd rather have the end user crying wolf a little bit and be much more cognizant of what they are seeing on their email or in their environments, than have them click on something and all of a sudden you have a Trojan Horse that entered your environment, and six months later you have an APT. More:

Security Awareness In Healthcare Is Lagging

Unlike the financial sector, security awareness in healthcare is lagging. Also unlike the financial sector—and much to the chagrin of the industry—hacked medical records command a premium on the black market because health data is far more permanent. Healthcare organizations are facing a cybersecurity crisis. More:

10 Social Engineering Exploits Your Users Should Be Aware Of

No matter how well you lock down network security, your company can still be compromised. How? Social engineering. Here are 10 ways social engineers can get to your data without touching a keyboard. More:

Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints & Fun Stuff
    • Frank William Abagnale is an American security consultant known for his history as a former confidence trickster, check forger, and impostor between the ages of 15 and 21. Abagnale's life story provided the inspiration for the feature film Catch Me If You Can, starring Leonardo DiCaprio as Abagnale:

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews