CyberheistNews Vol 6 #41 Scam Of The Week: Insidious New IRS Social Engineering Attack

There is a new insidious IRS scam that you need to warn your employees, friends and family about, and inform your HR department to start with.

Seasoned internet criminals are sending bogus emails with attachments, text messages and even snail mail claiming to be from the IRS and using a phony Form CP 2000.

This form is normally mailed by the IRS when income reported by employers does not match the income reported on the taxpayer's income tax return. To further confuse the potential victim, the letter accompanying the phony IRS form indicates that the form relates to the Affordable Care Act.

This scam is being investigated by the Treasury Inspector General for Tax Administration. The real CP 2000 form is a hefty six-pager with instructions about what steps to take whether you agree or disagree with the assessment. At the moment, the crooks are extorting straight cash out of victims, but this may just as well be used as a vehicle for instant malware infections.

I suggest you send the following to your employees, friends and family, and while you are at it, warn them against hurricane Matthew charity scams that are cropping up. You're welcome to copy/paste/edit:

"There is an insidious new IRS scam doing the rounds. They send you a phony IRS CP 2000 form and claim the income reported on your tax return does not match the income reported by your employer. This is meant to get you worried. To confuse you further, the bad guys claim this has something to do with the Affordable Care Act.

You might receive emails with attached phony forms, text messages and even live calls to your phone about this! You need to know that the IRS will never initiate contact with you to collect overdue taxes by an email, text message or phone call.

If you get any emails, text messages, old-time snail mail or even live calls about this, do not respond and/or hang up the phone. If you receive a "CP 2000" form in the mail and doubt this is legit, you can always call the IRS at 1-800-366-4484 to confirm it is a scam."

If you want a safe way for employees to report suspicious email to your organization's Incident Response team, download KnowBe4's complimentary Phish Alert Outlook add-in which gives your user a one-click option to send you any suspicious email including full headers.

Did I say there are no costs for this? We will soon have a Gmail version too:
https://info.knowbe4.com/phish-alert-chn

I have been knee deep into ransomware since September 2013 when the granddaddy of modern ransomware CryptoLocker made well over 20 million bucks in a few months. But sometimes I learn something new that surprises even me.

This week, Larry Abrams reported that the latest version of Cerber switches to random extensions (almost wrote "ransom extensions") and ends database processes so that it can access the sql datastore itself and encrypt that:

"This update also includes the addition of new database processes that are closed by the close_process directive in Cerber's configuration. This directive tells Cerber to terminate certain processes before encryption begins."

These are things like msftesql.exe, sqlagent.exe, sqlservr.exe and many more. Larry commented: "This is not something particular new, and other ransomware have been doing it for some time." Yikes. Here is the whole article:
http://www.bleepingcomputer.com/news/security/cerber-ransomware-switches-to-a-random-extension-and-ends-database-processes/

CSO had an excellent article that states the case that you need to get rid of old-school awareness training which you do for compliance reasons only.

Frederick Scholl said: "October is National Cyber Security Awareness Month. I am hoping you will join me in a national program to kill cybersecurity awareness training programs. I don’t know who came up with the concept of “security awareness training”, but it has reached the end of its utility and should be replaced with something else.

Is all we want is for users to be “aware” of security issues? Don’t we want them to be educated enough to be active parts of the solutions? Scholl makes the case for a security culture driven by John Kotter's book "Leading Change" using the Star Model from Jay Galbraith.

"This model emphasizes that five processes need to be implemented simultaneously in order to implement change. Obviously you need a security strategy. You also need to assign roles and responsibilities in the security structure. This needs to include the whole organization, not just the office of the CISO.

You need processes, and supporting technology. Galbraith also includes carrots (as well as the implicit sticks) to motivate people. Finally, we have the people process: training and educating all staff to influence employee mind-set and skills around information security.

Awareness training alone will not be enough to facilitate an organizational change. We need to enable our users to learn about security and how to use it in their jobs." Hear hear! More:
http://www.csoonline.com/article/3128211/leadership-management/time-to-kill-security-awareness-training.html

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Tomorrow - Wednesday, October 12, 2016, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform to see the latest features and how easy it is to train and phish your users:

• NEW Active Directory Integration allows you to easily upload and manage users.

• NEW Send Simulated Phishing tests to your users during specified business hours and drive down the Phish-prone percentage of employees.

• Roll out Training Campaigns for all users (or groups) with follow-up emails to “nudge” users who are incomplete on the training.

• Advanced Features: EZXploit™ an internal, fully automated "human pentest". USB Drive Test™ to test reactions to unknown USBs.
  
  
• Reporting to watch your Phish-prone percentage drop, with great ROI.

Find out how thousands of organizations have mobilized their end-users as their first line of defense. Register Now:
https://attendee.gotowebinar.com/register/6651094648067569667

PS: KnowBe4 has been running the HackBusters site for a few years now, providing you with trending IT security news. We are expanding it and have launched a new exciting online community! You are invited to be one of the first to join us at:
https://discuss.hackbusters.com.

The forum is divided into five main topics or categories:

• Social Engineering
• Ransomware
• Phishing
• Security Awareness Training
• PowerShell

You are welcome to share your thoughts or opinions and ideas in these forums! We look forward to seeing you on our exciting new online community soon. Again, you are invited to be one of the first to join us at:
https://discuss.hackbusters.com.

"Property may be destroyed and money may lose its purchasing power; but, character, health, knowledge and good judgment will always be in demand under all conditions."- Roger Babson - Educator

"Progress always involves risks. You can’t steal second base and keep your foot on first."- Frederick B Wilcox

Thanks for reading CyberheistNews

Interesting news item from Carnegie Mellon's Cylab. Each year, tens of millions of phishing emails make it to employees' inbox, not caught by spam filters. Of the ones that make it through, millions slide past your user's judgment and are clicked and opened. A recent study revealed just how likely users are to take the bait.

“Despite the fact that people were generally cautious, their ability to detect phishing emails was poor enough to jeopardize computer systems,” says Casey Canfield, a CyLab researcher from Carnegie Mellon’s Department of Engineering and Public Policy.

In the study, on average participants were only able to correctly identify just over half of the phishing emails presented to them. Fortunately, participants displayed a little more caution when it came to their behavior: roughly three-quarters of the phishing links were left un-clicked.

Based on the results, the authors of the study suggest interventions such as providing users with feedback on their abilities and emphasizing the consequences of phishing attacks. One effective training method that companies commonly use, Canfield explains, is sending out fake phishing emails and teaching a user about phishing emails if they open the email.

“It seems like those trainings may not always be making people better at telling the difference, but it’s probably making them more cautious,” Canfield says. “Helping people tell the difference may not be as useful as just encouraging them to be more cautious.” We agree. Full article here:
https://www.cylab.cmu.edu/news_events/news/2016/gone-phishin-cylab-researchers-expose-how-our-ability-to-spot-phishing-emails-is-far-from-perfect.html

Matthew Mesa at Proofpoint just published this interesting piece on their blog. On top of exploiting the Windows Troubleshooting Tool, this attack also uses OLE embedded objects to kick off the attack:

"Proofpoint researchers have uncovered a new technique of attachment-based delivery. In the observed campaign, the attackers abuse a feature in Windows called the Windows Troubleshooting Platform (WTP), intended for troubleshooting problems, to social engineer the recipients into executing malware.

This attack is particularly effective since execution of WTP is not accompanied by a security warning and users have been conditioned to run the troubleshooter when it appears in Windows. In this case, though, running the troubleshooter leads to the installation of LatentBot, a well-documented modular bot used for surveillance, information stealing, and remote access."

More at: "Looking for Trouble: Windows Troubleshooting Platform Leveraged to Deliver Malware:"
https://www.proofpoint.com/us/threat-insight/post/windows-troubleshooting-platform-leveraged-deliver-malware

The Dataprotection Report site wrote something that may be useful ammo if you need more IT Security budget. At the very least this will raise some eyebrows in the C-suite.

"Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack.

"The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may foreshadow additional FTC action, building upon a developing trend of US regulators engaging in pre-breach enforcement action."

If you read the article, the quick conclusion is that Ramirez suggests that failing to patch vulnerabilities exploited by ransomware could result in FTC enforcement before the fact.

The problem with this is that a lot of ransomware relies exclusively on social engineering to get the malcode executed; there *are* no technical controls.

To prevent the FTC coming down like a ton of bricks on your organization, you need to assess the reasonableness of your cybersecurity policies and practices and take actions to remediate any gaps that are identified in the assessment – particularly with respect to ransomware preparedness.

That means new-school security awareness training, which educates employees to make smarter security decisions and keeps them on their toes. Here is the article:
http://www.dataprotectionreport.com/2016/10/ftc-enforcement-possible-for-failing-to-guard-against-ransomware/

And here is a whitepaper that explains the legal principle of "reasonable measures" that any organization is expected to take to prevent lawsuits:
https://info.knowbe4.com/whitepaper-overly-kb4

The Marin Healthcare District and Prima Medical Foundation are notifying more than 5,000 patients that some of their medical data was lost due to a glitch that followed a ransomware attack in August.

Prima Medical Foundation supports the Prima Medical Group, many of whose doctors work closely with Marin General Hospital.

The computer records of Marin Medical Practice Concepts, a Novato company that provides medical billing and electronic medical records services to many Marin physicians, were taken hostage by ransomware on July 26. As a result, some Marin doctors were unable to access their patients’ medical records for more than a week.

There is a twist in this story though. Ransom was paid and files decrypted but during the restore process, one of MMPC’s backup systems failed, causing information to be lost that was collected at the district’s nine medical care centers between July 11, 2016 and July 26, 2016.”

I recommend you start using weapons-grade backup solutions that allow for 5-minute snapshots and test your restore function religiously. Here is the whole story:
http://www.marinij.com/article/NO/20160929/NEWS/160929766

SANS wrote: "We are excited to announce the October issue of OUCH! This month, led by Guest Editor Ryan Johnson, we focus on Four Steps to Staying Secure. Far too often people are overwhelmed with the latest technology or security tips and may get confused. By focusing on just these four basic concepts, people will go a long way to securing themselves, regardless of the technology they are using. As such, we ask you share OUCH! with your family, friends, and coworkers." English Version (PDF)
http://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201610_en.pdf

• This is a hilarious ad created by Sophos from July 2014, titled: "You are an IT Hero". Watch it, and laugh and weep at the same time. You could even send this to your users stating: "This is the recurring nightmare I’ve had about all of you here at work. Happy #CyberAwareness month!"
  https://www.youtube.com/watch?list=UUCoZkjM94dWZ9fSm8Iioa3w&v=hgeaya7Yg4A

• People Are Awesome - 'We Are The Champions'
  http://www.flixxy.com/people-are-awesome-we-are-the-champions.htm?utm_source=4

• At this speed, the inability of your girlfriend or wife to decide what to wear is more tolerable:
  http://www.flixxy.com/darling-just-give-me-one-minute-to-change-my-clothes.htm?utm_source=4

• This Best of Month People Are Awesome compilation has parkour, trail biking, hula-hooping, base jumping, pool trick shots, weightlifting, acrobatics and much more!
  http://www.flixxy.com/people-are-awesome-best-of-the-month-september-2016.htm?utm_source=4

• Finally, someone who knows about cats and their behavior! Spot-on explanations why cats do these strange things. Fun for a 10-min break:
  http://www.flixxy.com/10-weird-cat-behaviors-explained.htm?utm_source=4

• Your dose of awesomeness has arrived! 47 amazing video clips in just 8 1/2 minutes.
  http://www.flixxy.com/win-compilation-october-2016.htm?utm_source=4
  
  
• The Royal Flush waterslide (in 4K) looks like a lot of fun!!:
  https://www.youtube.com/watch?v=KUOhpQDDME4