CyberheistNews Vol 6 #45 Yes, That Email Is Really From LinkedIn. And, Yes, It's Really Malicious.

CyberHeist News CyberheistNews Vol 6 #45
Yes, That Email Is Really From LinkedIn. And, Yes, It's Really Malicious.
Stu Sjouwerman

Several months ago we blogged about a startling discovery by threat researchers at Proofpoint: the bad guys had figured out a way to turn PayPal itself into a phishing platform, exploiting the "money request" feature in PayPal, which allows senders to include a personalized message, to phish potential victims via malicious emails delivered through PayPal's own service. Those unwary enough to click the embedded links included in those malicious emails were rewarded with the Chthonic banking Trojan.

This week we encountered yet another successful attempt to convert a legitimate online service into a phishing platform. This time it's LinkedIn, now a staple in American business culture.

I'll give you the upshot here, and a link to the much longer blog post with screenshots at the end.

LinkedIn viable platform for launching spear phishing attacks

What is abundantly clear from the Wells Fargo phishes we found is that LinkedIn has become a viable platform for launching spear phishing attacks against users who have been targeted for their connections to a high profile financial institution.

LinkedIn is now valued not only for its wealth of data on potential targets for all manner of scams and targeted phishing attacks but for its usefulness in generating emails that leverage LinkedIn's own reputation to bypass security solutions implemented by organizations worldwide.

Given the restrictions surrounding the use of LinkedIn's messaging features, we doubt that these kinds of leveraged attacks will ever achieve high volume distribution. But LinkedIn's inherent reputation does lend itself to launching very targeted attacks against corporate lucrative targets.

A credentials phish, as we saw in these two cases, is the most basic of phishing attacks. Having proven LinkedIn's viability as a phishing platform, we expect malicious actors will find creative ways to exploit LinkedIn's data and messaging features to launch still more dangerous and creative attacks against LinkedIn users in the near future. Step your employees through new-school security awareness training.

Blog post with much more background, screenshots and links:

Scam Of The Week: How Employees Help Bad Guys Steal Credentials

At the end of this story is something you can send to your users about the dangers of sharing their lives in social media. It will help you protect your network credentials. Our friends at Malwarebytes wrote in a "partner perspectives" post at DARKReading:

"One of the primary reasons that phishing is so effective is that many email users are not sufficiently skeptical or discriminating about suspicious emails, often because they lack training about how to identify phishing attempts.

"To demonstrate how phishers might use personal information to their advantage, I found someone on Facebook whom I do not know personally but has an active presence and provides a significant amount of information on his public Facebook page.

"Phishing and spear phishing are serious problems that will get worse in the future, often because victims are not sufficiently trained and because many provide key information to cybercriminals. Organizations must work to raise awareness among their employees or risk the exploitation of sensitive company data." We could not agree more.

So, here is what I suggest you send to your employees. You're welcome to copy/paste/edit:

A security researcher decided to see how hard it would be to create a targeted phishing attack on a total stranger. He went to Facebook and found a guy he did not know personally and found a wealth of information, including:

  • He visited Tapley’s Pub in Whistler, British Columbia, on Sept. 20.
  • He visited The Brewhouse in Whistler on Sept. 16.
  • The names of at least some of the people he was with on Sept. 13.
  • He visited the 192 Brewing Company on Sept. 12.
  • He visited the Chainline Brewing Company on Sept. 11.
  • He visited American Pacific Mortgage on Sept. 9.
  • He went to a Seattle Seahawks game on Sept. 3.

And based on his Facebook profile, it was clear who he worked for, the city in which he lives, his wife’s name, and lots of other information.

If the security researcher was a bad guy trying to get access to this victim's corporate login credentials, he could easily create an email with the subject line “Problem with your credit card charge at Tapley’s Pub” -- a subject line that would make him open the email given his recent visit there.

Next, in the email, the bad guy could write a short, believable message about a problem in running his credit card and provide a link asking him to verify the charge. That link could be to a site that would automatically download a keystroke logger to his computer, and GAME OVER.

The bad guy can now capture every keystroke of the victim from then on, which would include login credentials and other confidential information.

The moral of this story: do not share all kinds of personal information on social media. This is true from the mail room up to the board room. Shared personal information can come back to you and bite hard.

Think Before You Share.

New Version Of Nymaim Malware Targets High-Level Managers

A new version of the Nymaim malware family targets high-level managers with attached malicious Word documents and drops ransomware and banking Trojans.

More than 90 percent of all phishing emails are now ransomware. The average amount paid via ransomware has grown from 40 dollars in 2009 to a 1,000 dollars in 2016. This amount will grow even faster as ransomware moves to enterprise.

The cyber research team at Verint posted that the new Nymaim version has upgraded its code to keep security tools from locating it and has advanced delivery methods.

The Nymaim family originally surfaced in 2013 and has consistently evaded security teams by morphing its code. It went quiet for a time while their developers created a new version but over the past six months it has resurfaced stronger than ever with a 63 percent rise in attacks over 2015.

This most recent version offers brand-new features, particularly new delivery mechanisms, obfuscation strategies, and the use of PowerShell. The new blacklisting technology observes how a targeted computer communicates with the internet, and then verifies query results for names of popular security defenses.

What To Do About It

A prevention strategy for this threat would be to blacklist the IPs and URLs contacted by this malware at the firewall and proxy-level, so long as your network supports this kind of filtering. Next, have good endpoint protection, along with anti-phishing and web control capabilities, keep it all up-to-date, and of course step all employees through new-school security awareness training.

Also, NIST just released email security draft guidelines.

The guide, entitled DNS-Based Email Security, examines the Domain Name System Security Extensions (DNSSEC) specifications and DNS-Based Authentication of Named Entities (DANE) protocol.

The guidance discusses ongoing challenges encountered by server-based email security mechanisms, which it mentions are vulnerable to attacks through fraudulent or invalid digital certificates, and security process failures as a result of fraudulent servers.

The guide encourages exchange-level encryption solution, individual encryption, and signing methods. NIST has requested comments from information security pros on the guide. Here it is:

Don’t Miss The November Live Demo: New-School Security Awareness Training

Today, your employees are frequently exposed to sophisticated phishing and  ransomware attacks. Old-school security awareness training doesn’t hack it  anymore. More than ever, your users are the weak link in your network security. 

Join us on Wednesday, November 9, 2016, at 2:00 p.m. (EDT)  for a 30-minute live product demonstration of the innovative Kevin Mitnick  Security Awareness Training Platform to see the latest features and how easy  it is to train and phish your users:

    • NEW Active Directory Integration allows you to easily upload and manage users.
    • NEW Send Simulated Phishing tests to your users during specified business hours and drive down the Phish-prone percentage of employees.
    • Roll out Training Campaigns for all users (or groups) with follow-up emails  to “nudge” users who are incomplete on the training. There is a new "Controversial/NSFW category".
    • Advanced Features: EZXploit™ an internal, fully automated "human pentest".  USB Drive Test™ to test reactions to unknown USBs.

    • Reporting to watch your Phish-prone percentage drop, with great ROI.

Find out how thousands of organizations have mobilized their end-users as their  first line of defense. Register Now:

Warm Regards,
Stu Sjouwerman

Quotes Of The Week

"Political language... is designed to make lies sound truthful and murder respectable, and to give an appearance of solidity to pure wind."- George Orwell

"Appearance rules the world."- Friedrich Schiller, Dramatist

Thanks for reading CyberheistNews

Security News
City Of El Paso Victim Of 3 Million Dollar Phishing Scam

During a news conference Wednesday afternoon, city officials revealed that cybercriminals pretending to be a vendor scammed the city's Accounts Receivable Department out of about 3 million dollars for the streetcar project by using a phishing scam.

Dr. Mark Sutter, the city's chief financial officer, said the first ACH payment to the phony vendor was for about 300,000 dollars and a second payment was for about 2.9 million dollars.

Professor Luc Longpre with UTEP's Computer Science program has been teaching courses on cyber security for more than 20 years now: "As soon as you have some amount of money in some account, and you have a process to be able to spend that money somewhere and somebody cracked your system, then they'll take advantage of that process and take the money, it depends on how much money was in the account," Longpre said.

Sutter said the city has recovered about half of that money. That means the rest is basically lost as it was cashed out by the bad guys and not recoverable.

Sutter also stated they don't think their systems were compromised at all, and added changing their system isn't necessary because the system wasn't hacked.

Right. A human was hacked with social engineering. This could have been prevented with new-school security awareness training.

Sometimes These Scumbag Miscreants Are Caught And Brought To Justice

Brian Krebs wrote: "Way back in the last millennium when I was a lowly copy aide at The Washington Post, I pitched the Metro Section editor on an idea for new column: "And the Good News Is..." The editor laughed me out of her office.

But I still think it's a decent idea -- particularly in the context of cybersecurity -- to periodically highlight the good news when people allegedly responsible for spewing so much badness online are made to face justice.

I agree and here is a summary of recent scumbags that were caught!

Ransomware Detections More Than Double On Kaspersky Network

More evidence about the rapid spread of ransomware comes from the latest quarterly IT threat survey from Kaspersky Lab, which said this week that the number of internet users that encountered ransomware more than doubled in the third quarter of this year compared to Q2.

It’s the third quarterly increase in a row, a testament to how much criminals like ransomware for pulling in money, as well as how far behind security awareness training is among users.

The company said more than 821,860 were hit by the malware among those in the Kaspersky Security Network, which includes customers of its own and other antivirus service providers. The numbers come from customers that agreed to provide them.

Ransomware continues to be one of the most dangerous threats

“Crypto ransomware continues to be one of the most dangerous threats, both to private users and to businesses,” Fedor Sinitsyn, ransomware expert at Kaspersky Lab said in a statement. “The recent jump in the number of attacked users may have been provoked by the fact that the number of modifications of ransomware we detected in Q3 – more than 32,000 modifications – was 3.5 times more than in Q2.

This may be due to the fact that security companies nowadays invest a lot of resources into being able to detect new samples of ransomware as fast as possible. Criminals must therefore avoid detection by creating more new modifications of their malware.” Read more:

Awareness Training Ranks High In New Cyber Security Report

Key Awareness Findings From the SANS 2016 Survey on Security and Risk in the  Financial Sector

What if you could peer into the front lines of the battle against cyber threats in the financial services sector? What role does security awareness play in thwarting attacks? The 2016 SANS Survey on Security and Risk in the Financial Sector highlights the key attack vectors faced by the industry and the controls that are working.

The report surveyed 238 professionals who represent the front lines of IT security in the financial sector. Cybersecurity expert and report author G. Mark Hardy remarked that "the survey serves to educate the IT community about what's working in the defensive battle IT pros find themselves in, and, equally important, what's not working and what could use improvement."

Ransomware on the rise

While the finding that spearphishing and ransomware were the most common types of attacks on financial sector firms might not surprise security awareness professionals, the speed at which ransomware made the top of the list was noteworthy. Ransomware was reported as the top threat facing financial firms.

Commenting on the difference between 2015 data and the 2016 report, Mr. Hardy noted that "in a matter of months, ransomware rose to the top, showing just how fast the ransomware threat is growing." He noted that ransomware was barely on the radar in the 2015 financial services survey. More at the SANS Securing The Human Blog:

90% Of Employees Violate Data Breach Prevention Policies

New research from CEB says that employees pose a bigger threat than hackers even though companies are increasing technology investments to protect against external data breaches.

More data is changing hands and leaving company-controlled networks than ever before. Almost two-thirds of employees report regularly using personal technologies for work, mainly for convenience purposes.

When convenience and productivity are chosen over security, employees put sensitive data at risk, resulting in high costs. Forty-five percent of internal privacy failures are caused by intentional but non-malicious employee actions.

To manage employee behavior that jeopardizes data privacy and mitigate relevant costs, organizations must avoid collecting unnecessary data and build privacy into business workflows to make it easier for employees to comply with requirements.

“Investing in technology to improve security is essential, however organizations also need to ensure that employees are doing their part to protect sensitive information,” said Brian Lee, data privacy practice leader at CEB.

More at SC Magazine UK:

Cyberheist 'FAVE' LINKS:
This Week's Links We Like, Tips, Hints And Fun Stuff

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews