 CyberheistNews Vol 6 #45 |
| Yes, That Email Is Really From LinkedIn. And, Yes, It's Really Malicious. |
.jpg)
Several months ago we blogged about a startling discovery by threat researchers at Proofpoint: the bad guys had figured out a way to turn PayPal itself into a phishing platform, exploiting the "money request" feature in PayPal, which allows senders to include a personalized message, to phish potential victims via malicious emails delivered through PayPal's own service. Those unwary enough to click the embedded links included in those malicious emails were rewarded with the Chthonic banking Trojan.
This week we encountered yet another successful attempt to convert a legitimate online service into a phishing platform. This time it's LinkedIn, now a staple in American business culture.
I'll give you the upshot here, and a link to the much longer blog post with screenshots at the end.
LinkedIn viable platform for launching spear phishing attacks
What is abundantly clear from the Wells Fargo phishes we found is that LinkedIn has become a viable platform for launching spear phishing attacks against users who have been targeted for their connections to a high profile financial institution.
LinkedIn is now valued not only for its wealth of data on potential targets for all manner of scams and targeted phishing attacks but for its usefulness in generating emails that leverage LinkedIn's own reputation to bypass security solutions implemented by organizations worldwide.
Given the restrictions surrounding the use of LinkedIn's messaging features, we doubt that these kinds of leveraged attacks will ever achieve high volume distribution. But LinkedIn's inherent reputation does lend itself to launching very targeted attacks against corporate lucrative targets.
A credentials phish, as we saw in these two cases, is the most basic of phishing attacks. Having proven LinkedIn's viability as a phishing platform, we expect malicious actors will find creative ways to exploit LinkedIn's data and messaging features to launch still more dangerous and creative attacks against LinkedIn users in the near future. Step your employees through new-school security awareness training.
Blog post with much more background, screenshots and links:
https://blog.knowbe4.com/yes-that-email-is-really-from-linkedin.-and-yes-its-really-malicious
|
| Scam Of The Week: How Employees Help Bad Guys Steal Credentials |
|
At the end of this story is something you can send to your users about the dangers of sharing their lives in social media. It will help you protect your network credentials. Our friends at Malwarebytes wrote in a "partner perspectives" post at DARKReading:
"One of the primary reasons that phishing is so effective is that many email users are not sufficiently skeptical or discriminating about suspicious emails, often because they lack training about how to identify phishing attempts.
"To demonstrate how phishers might use personal information to their advantage, I found someone on Facebook whom I do not know personally but has an active presence and provides a significant amount of information on his public Facebook page.
"Phishing and spear phishing are serious problems that will get worse in the future, often because victims are not sufficiently trained and because many provide key information to cybercriminals. Organizations must work to raise awareness among their employees or risk the exploitation of sensitive company data." We could not agree more.
So, here is what I suggest you send to your employees. You're welcome to copy/paste/edit:
A security researcher decided to see how hard it would be to create a targeted phishing attack on a total stranger. He went to Facebook and found a guy he did not know personally and found a wealth of information, including:
- He visited Tapley’s Pub in Whistler, British Columbia, on Sept. 20.
- He visited The Brewhouse in Whistler on Sept. 16.
- The names of at least some of the people he was with on Sept. 13.
- He visited the 192 Brewing Company on Sept. 12.
- He visited the Chainline Brewing Company on Sept. 11.
- He visited American Pacific Mortgage on Sept. 9.
- He went to a Seattle Seahawks game on Sept. 3.
And based on his Facebook profile, it was clear who he worked for, the city in which he lives, his wife’s name, and lots of other information.
If the security researcher was a bad guy trying to get access to this victim's corporate login credentials, he could easily create an email with the subject line “Problem with your credit card charge at Tapley’s Pub” -- a subject line that would make him open the email given his recent visit there.
Next, in the email, the bad guy could write a short, believable message about a problem in running his credit card and provide a link asking him to verify the charge. That link could be to a site that would automatically download a keystroke logger to his computer, and GAME OVER.
The bad guy can now capture every keystroke of the victim from then on, which would include login credentials and other confidential information.
The moral of this story: do not share all kinds of personal information on social media. This is true from the mail room up to the board room. Shared personal information can come back to you and bite hard.
Think Before You Share.
|
| New Version Of Nymaim Malware Targets High-Level Managers |
|
A new version of the Nymaim malware family targets high-level managers with attached malicious Word documents and drops ransomware and banking Trojans.
More than 90 percent of all phishing emails are now ransomware. The average amount paid via ransomware has grown from 40 dollars in 2009 to a 1,000 dollars in 2016. This amount will grow even faster as ransomware moves to enterprise.
The cyber research team at Verint posted that the new Nymaim version has upgraded its code to keep security tools from locating it and has advanced delivery methods.
The Nymaim family originally surfaced in 2013 and has consistently evaded security teams by morphing its code. It went quiet for a time while their developers created a new version but over the past six months it has resurfaced stronger than ever with a 63 percent rise in attacks over 2015.
This most recent version offers brand-new features, particularly new delivery mechanisms, obfuscation strategies, and the use of PowerShell. The new blacklisting technology observes how a targeted computer communicates with the internet, and then verifies query results for names of popular security defenses.
What To Do About It
A prevention strategy for this threat would be to blacklist the IPs and URLs contacted by this malware at the firewall and proxy-level, so long as your network supports this kind of filtering. Next, have good endpoint protection, along with anti-phishing and web control capabilities, keep it all up-to-date, and of course step all employees through new-school security awareness training.
Also, NIST just released email security draft guidelines.
The guide, entitled DNS-Based Email Security, examines the Domain Name System Security Extensions (DNSSEC) specifications and DNS-Based Authentication of Named Entities (DANE) protocol.
The guidance discusses ongoing challenges encountered by server-based email security mechanisms, which it mentions are vulnerable to attacks through fraudulent or invalid digital certificates, and security process failures as a result of fraudulent servers.
The guide encourages exchange-level encryption solution, individual encryption, and signing methods. NIST has requested comments from information security pros on the guide. Here it is:
https://nccoe.nist.gov/sites/default/files/library/sp1800/dns-secure-email-sp1800-6-draft.pdf
|
| Don’t Miss The November Live Demo: New-School Security Awareness Training |
|
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, November 9, 2016, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform to see the latest features and how easy it is to train and phish your users:
- NEW Active Directory Integration allows you to easily upload and manage users.
- NEW Send Simulated Phishing tests to your users during specified business hours and drive down the Phish-prone percentage of employees.
- Roll out Training Campaigns for all users (or groups) with follow-up emails to “nudge” users who are incomplete on the training. There is a new "Controversial/NSFW category".
- Advanced Features: EZXploit™ an internal, fully automated "human pentest". USB Drive Test™ to test reactions to unknown USBs.
- Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how thousands of organizations have mobilized their end-users as their first line of defense. Register Now:
https://attendee.gotowebinar.com/register/6712523263900180737
|
Warm Regards,
Stu Sjouwerman |
|
|
|
