Scam Of The Week: Your Stolen iPhone Has Been Found
Between 3 and 4 million smartphones are stolen every year. It's your modern-day purse snatching. Many people put their entire private and work lives on these devices which can cost up to 500 bucks. Losing a device or getting it stolen can feel like a disaster, way beyond just the monetary loss.
Cyber thieves count on this panic and abuse their victims twice in this sophisticated iPhone scam. They count on you wanting to prevent a negative consequence and social engineer you. Nothing is sacred. Here is how this goes down:
Your iPhone get stolen.
You go online and turn on the Find My iPhone Activation Lock.
Shortly afterward you get a message that the phone is found but you need to go to this website and verify your Apple ID. You quickly do this.
Gotcha! It is a spoofed Apple iCloud site and when you enter your credentials, these go straight to the scammers who now own your account and unlock the phone.
You've been social engineered and the thieves will sell the phone. Nothing to do but go to Apple, change your password and set up 2-factor verification for your account but the phone (or iPad) is gone forever.
How can the bad guys do this? Simple -- send an iMessage to the email address that it said it had been locked by, as the default iOS settings mean you can send & receive iMessages to email addresses with an Apple ID.
The problem is the end-user is in a panic and does not notice the spoofed "From" address. I suggest you send your BYOD employees a message like this one. Feel free to copy/paste/edit:
"If you lose your smartphone, or if it gets stolen, make sure you follow the procedures you were given by the organization. Report the loss or theft immediately to the correct person. If you get a message from an address you do not recognize claiming "your phone is found", do not click on anything and do not call any number that the message may give you. Specifically, do not log into any site this message tells you to go to and leave your username and password, because that is likely a spoofed site and they are trying to steal your credentials.
Remember, the bad guys try to trick you when you are worried and manipulate you into doing things against your own interest. Online crooks have no shame in abusing their victims twice to get what they want. Think Before You Click!"
Stepping employees that have BYOD devices through effective security awareness training is a must these days. Find out how affordable this is for your organization and be pleasantly surprised. https://www.knowbe4.com/
CISOs Should Take Security Training Seriously
Doug Drinkwater wrote this great CSO article: "Security awareness training is pivotal to your organization’s information security posture, and, now, it’s more important than ever before.
"In many ways, security awareness training exemplifies the way information security is seen and tackled by senior management.
"A once-a-year, classroom-based approach may be traditional, with security updates and warnings posted on walls and the Intranet, but it is also a sign of a tick-box, compliance-driven approach to security. It is often done to appease industry regulators, PCI and data protection authorities, and the training can offer relatively basic – arguably condescending- advice.
"But times are changing. The threat landscape is growing with the arrival of millions of mobiles and wearables, each with their own IP address, while organized crime and nation-state APT groups are looking at new ways of compromising victims. From exploit kits and Trojans to ransomware, phishing and social engineering scams – the criminal game has moved on."
Don't Miss The February Live Demo: New School Security Awareness Training
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, February 10 at 2:00 p.m. (EST) for a 30-minute live product demonstration of the innovative KnowBe4 Security Awareness Training Platform and see how easy it is to train and phish your users:
Send Simulated Phishing tests to your users and get your Phish-prone percentage.
Roll out Training Campaigns for all users (or groups) with follow-up emails to “nudge” users who are incomplete on the training.
Point-of-failure training auto-enrollment.
NEW Phish Alert Button for Outlook so employees can report phishing attacks.
NEW Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.
"A gentleman is one who puts more into the world than he takes out." - George Bernard Shaw
"Life shrinks or expands in proportion to one's courage."- Anais Nin
Thanks for reading CyberheistNews
This Week's Five Most Popular HackBusters Posts
There is an enormous amount of noise in the security space, so how do you know what people really talk about and think is the most important topic? Well, we created the Hackbusters site for that. Hackbusters grabs feeds from hundreds of security sites, blogs and other sources. We track which topics are most liked, shared, retweeted and favored, and we built an algorithm that bubbles up the real hot topics. We tweet when a #1 hot security topic comes up.
Here are this week's five most popular hackbusters posts:
Wombat’s "2016 State of the Phish": Attacks, Victims Continue to Rise
Our friends at Wombat released their "2016 State Of The Phish". The report reflects the reality that CISOs, CSOs, and their infosec teams are facing worldwide on a daily basis: phishing and spear phishing attacks are more prevalent — and more dangerous — than ever.
Three key data points from the survey show year-over-year increases related to frequency and susceptibility to attacks:
85% of respondents said they were a victim of a phishing attack (up 13% from the prior report)
67% said they experienced a spear phishing attack (a 22% increase)
60% said they believe the rate of phishing attacks has increased overall
So, what are the ramifications of a successful phishing attack? From our perspective, it’s a question of means and ends; attackers have different means of exploiting their access, just as they have different end games — and those end games have different implications for the organizations targeted. When asked about the technical issues that resulted from successful phishing attacks on their organizations, respondents indicated that they faced the following:
42% Malware infections
22% Compromised accounts
4% Loss of data
Looking beyond the technical side of phishing, we also asked respondents to identify the business impacts associated with successful attacks:
44% complained of lost employees productivity
36% faced consequences related to the loss of proprietary information
20% dealt with damage to their reputation
In general, the report shows that more aggressive social engineering practices are making phishing more difficult to prevent. Case in point, 55% of survey respondents reported experiencing voice phishing (vishing) and/or SMS/text phishing (smishing). Given that email-based attacks are often preceded by information gathering efforts like phone calls, social media trolling, and even in-person reconnaissance, it’s clear that cyber security is a many-faceted thing."
This Week's Ransomware Roundup
I was going to write up all the news and then ran across this article by Senior Editor Sara Peters at Darkreading. Saves me some time! She started out with: "Inventive new variants and damaging attacks swept through the headlines this week." She is so right, and covers:
Israeli Electric Authority infected with ransomware
Lincolnshire County Council phished and 300 machines down
CryptoWall 4.0 sends spoofed SalesForce emails with fake invoices
New strain of Android ransomware that poses as a pr0n app
The new stupid and destructive 7ev3n ransomware strain wanting 5 grand
More Than A Quarter Of All Malware, Ever, Was Created Last Year
IT Pro Portal observed: "Here’s an interesting story: more than a quarter of all malware, ever, was created last year. Yes, more than a quarter – 27.63 per cent, to be exact. Those are just some of the figures released by security firm PandaLabs, in its 2015 Annual Report.
There are some other interesting figures in here as well: there were 84 million new malware samples detected by the firm this year, meaning 230,000 new malware samples were produced daily over the course of the year.
End-User Security Awareness First Line Of Data Protection Defense
In a series of video interviews from the 2015 ISSA International Conference in Chicago, SearchCompliance editor Ben Cole discussed modern information security strategy with conference speakers and ISSA members. Here, McCarthy discusses information security best practices and why end-user security awareness is the front line of corporate data protection efforts.
He asked: "How can companies make sure their security policies and processes are staying up to date with modern threats?"
McCarthy: It's really about end-user security awareness type of training programs -- doing the pen testing and the phishing type of attacks, and making them aware. It's sort of deputizing your end users so if they see something coming in to your organization that doesn't look right, they are allowed to raise the red flag and not be chastised for doing that. It may be crying wolf -- but I'd rather have the end user crying wolf a little bit and be much more cognizant of what they are seeing on their email or in their environments, than have them click on something and all of a sudden you have a Trojan Horse that entered your environment, and six months later you have an APT. More: http://searchcompliance.techtarget.com/video/End-user-security-awareness-first-line-of-data-protection-defense
Frank William Abagnale is an American security consultant known for his history as a former confidence trickster, check forger, and impostor between the ages of 15 and 21. Abagnale's life story provided the inspiration for the feature film Catch Me If You Can, starring Leonardo DiCaprio as Abagnale: https://www.youtube.com/watch?v=iJIc16aqpO8