CyberheistNews Vol 6 #48 Scam Of The Week - Fake News: A Content-Based Social Engineering Attack

Facebook, Google, and Twitter have recently been facing scrutiny for promoting fake news stories. Depending on your sources and who you believe, fake news played and is still playing a role in the 2016 presidential election.

However, fake news is misused in a number of ways, especially in an election season, and we have seen plenty of examples in the last few weeks:

• Propaganda, trying to influence opinion
• Direct attacks on a political opponent
• Stock manipulation scams
• Shock people into clicking and infect their machine with malware (celebrity deaths)
• Sell advertising

Fake news and its malicious cousin "malvertising" are some of the most hard-to-spot types of social engineering attacks facing employees of both non-profits and for-profits.

“Fake news” can originate practically anywhere on the internet through tweets, posts, digital images, video, and/or so-called "citizen journalist" sites where people can directly publish their content without fact-checking or any other kind of content-curation. And then there are the sites pretending to be legit news organizations but dedicated to only fake news. Here are a few examples:

• Bipartisan Report
• PoliticusUSA
• USUncut
• The Freethought Project
• Politicalo / Newslo
• DailyNewsBin
• American News X
• The Other 98%

This type of site is the most damaging. Their content is not monitored, un-curated, not fact-checked and can create a raft of problems for both the people who fall for that type of social engineering and the enterprise that is being targeted. A recent example is FitBit that saw its stock jump and then crash because of a fake news stock manipulation scheme.

In another variation of a fake news attack, scammers launch stories announcing the untimely death or injury of a key corporate executive or celebrity. A big one on the enterprise side was in 2009, when the CNN iReport site posted news that AT&T CEO Randall Stephenson was "found dead in his multimillion dollar beachfront mansion" under questionable circumstances. Recent fake news that Brad Pitt had committed suicide is fresh in memory.

In cases like stock scams, trading of these shares stops quickly, but the damage to the attacked company, and key partners and suppliers is done and the bad guys have gotten their ill-gotten gains. Fake news about M&A activity, clinical trials, product announcements, plant closings, earnings, executive appointment, product delays, partnerships, or headcount reductions might take only minutes to debunk, but can impact revenues, operations and business reputations for weeks.

Realistically, the only team in any organization who can deal with this type of attack is the security department but few organizations actively monitor for and defend against false news. It's a good idea to conduct an external threat audit across all threat sources, not just social networks, blog sites, wikis, discussion forums, and video sites, but also mobile app stores, online marketplaces, and domains. Organizations like BrandProtect and PhishLabs are a good place to start for a quote.

What To Do About It

How do you train your employees about this risk? It's one of the most pernicious social engineering attacks out there. Here is some suggested copy you can cut / paste / edit and send to your employees, friends, and family:

"Facebook, Google, and Twitter have recently been accused of promoting fake news stories. Depending on your sources and who you believe, fake news played a role in the 2016 presidential election. However, fake news is misused in a number of ways:

• Propaganda, trying to influence opinion
• Direct attacks on a political opponent
• Stock manipulation scams
• Shock people into clicking and infect their machine with malware (celebrity deaths)
• Sell advertising

So, how do you protect yourself against this type of scam? The very first thing you need to do with any kind of internet message you see is this: CONSIDER THE SOURCE. Meaning you ask yourself the following questions: Where did this come from? Who wrote it? What is their agenda?

There are a large number of false, misleading, clickbait, and/or satirical “news” sources you need to watch out for. Here are 8 Tips to analyze news sources and make sure you do not fall for their scams:

1. Avoid websites that end in “lo”, for example Newslo. These sites take pieces of accurate information and then packaging that information with other false or misleading “facts”.
   
   
2. Watch out for websites that end in “.com.co” as they are often fake versions of real news sources, and strange or unusual domain names are a big red flag.
   
   
3. If other known and reputable news sites are not also reporting on the story, that is a red flag.
   
   
4. If it is an anonymous story and there is no known / trusted author, it's suspect.
   
   
5. Some news organizations are letting bloggers post under their banner, but many of these posts are opinion and not facts, make sure you note the difference. (Examples are: BuzzFeed, Forbes blogs.)
   
   
6. If you are in doubt because of bad design or grammar/spelling, check their “About Us” tab or look them up on Snopes for verification of that source.
   
   
7. If the story makes you upset or angry, it’s a good idea to keep reading about the topic using other sources to make sure the author wasn’t doing that on purpose (with potentially misleading or false information) to generate shares and ad revenue.
   
   
8. It’s always best to read multiple sources of information to get a variety of viewpoints and perspectives, which allows you to spot bias in reporting and confirm information with other sources before you decide to take action.

To summarize, consider the source, double check if the data is correct using other reliable sources, and especially with "fake news"... Think Before You Click!"
URL to blog with links:
https://blog.knowbe4.com/scam-of-the-week-fake-news-a-content-based-social-engineering-attack

Let's stay safe out there.

Warm regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.

Fortune Magazine hit the nail on the head by pointing out the correct top hacking threat: email.

Fortune said: "Why are people still such suckers for phishing? At a security event in New York this week, top law enforcement officials shared their concerns and, to my surprise, their biggest preoccupation was plain old e-mail.

“The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear phishing,” Homeland Security Secretary Jeh Johnson told the crowd, referring to malicious emails that appear to come from a credible source.

“Phishing—mundane as it is—is the biggest threat we face and need to tackle,” said Vance (Manhattan District Attorney Cyrus Vance), who added that, after terrorism, cyber-security is New York’s top priority.

Excellent ammo to send to your C-level execs and ask for budget:
http://fortune.com/2016/11/20/jeh-johnson-phishing/

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, December 7, 2016, at 2:00 p.m. (EST) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform to see the latest features and how easy it is to train and phish your users:

• NEW Active Directory Integration allows you to easily upload and manage users.

• NEW Send Simulated Phishing tests to your users during specified business hours and drive down the Phish-prone percentage of employees.

• Roll out Training Campaigns for all users (or groups) with follow-up emails to “nudge” users who are incomplete on the training.

• Advanced Features: EZXploit™ an internal, fully automated "human pentest”. USB Drive Test™ to test reactions to unknown USBs.

• Reporting to watch your Phish-prone percentage drop, with great ROI.
  
  

Find out how thousands of organizations have mobilized their end-users as their first line of defense.

Register Now: https://attendee.gotowebinar.com/register/1297472477949589251

It's also a very good idea when the biggest cybercriminal hacking holiday of the year is upon us, to remind your users about the red flags they need to watch out for, either online or in brick-and-mortar stores. Here is a blog post you can send over to all of them, with Hints & Tips, a new graphic and short video, and the Social Engineering Red Flags PDF you can print out and give to friends, family and to employees to pin on their wall.

Remember that the price of freedom is constant alertness and constant willingness to fight back:
https://blog.knowbe4.com/10-ways-to-avoid-holiday-scams

"Attitude is a little thing that makes a big difference."
- Winston Churchill - UK Prime Minister

"The world is more malleable than you think and it’s waiting for you to hammer it into shape."- Bono

Thanks for reading CyberheistNews

Dan Lohrmann at CSO brought up a good point: "During the 2016 National Cyber Security Awareness Month in October, Frederick Scholl wrote an intriguing article for CSO Magazine entitled, “Time to kill security awareness training.”

Many people expressed the view that the headline was a shocker. Some security pros who commented on the article directly, or expressed their views on social media sites like LinkedIn, responded with strong push-back and a combined feeling of disbelief. Words like, “It’s not time to kill security awareness training. It’s time to kill Stupid Security Awareness Training.”

To summarize these reader sentiments in a few words: "You’re going in the wrong direction."

Security awareness training can help change the security culture through ongoing attention on relevant topics like social engineering. Nevertheless, stale, old, awareness material certainly doesn’t help and too many programs keep doing the same thing and expect a different result."

We could not agree more and this article is great ammo to get more budget for new-school security awareness training:
http://www.csoonline.com/article/3143215/security-awareness/does-security-awareness-training-need-a-new-stronger-name.html?

Network World Columnist Mark Gibbs put together this hilarious and at the same time sad Top 10 of horrible IT security failures. Enjoy and shiver:

"Welcome, once again, to the Gibbs Golden Turkey Awards. It’s been a few years since our last effort to point the digit of disdain at those individuals, companies or entities that don't, won't or can't come to grips with reality, maturity, ethical behavior and/or social responsibility because of their blindness, self-imposed ignorance, thinly veiled political agenda, rapaciousness and greed, or their blatant desire to return us to the Dark Ages. Or all of those sins combined. But that lapse aside, with loins girded anew with cheap girders, we undertake again the traditional annual roasting of those who deserve a damn good basting. Without further ado, here in reverse order, are the top 10 Golden Turkeys for 2016"

Have fun with these!
http://www.networkworld.com/article/3141576/security/welcome-to-the-11th-gibbs-golden-turkey-awards.html?

Charles Cooper at CSO said: "Between October 2015 and March 2016, phishing attacks surged by a record-breaking 250% to more than 289,000 incidents, the highest number since the Anti-Phishing Working Group, a coalition of government and industry organizations, began keeping count on phishing in 2004.

As discussed in the AT&T Cybersecurity Insights report, there’s reason for its growing popularity: Phishing is also a profitable business. A recent FBI report estimates that phishing attacks featured in so-called business email compromises have netted their authors more than 3 billion dollars in the last year and a half.

But what’s frustrating for CSOs and other security executives is that phishing scams are entirely preventable — at least in theory. In practice, however, nothing’s that easy — in large part because employees continue to be the perennial weak link in network defenses.

Attackers send emails that purport to represent legitimate organizations when, in fact, they contain links or attachments that install malware that lets intruders into the network.

Sometimes the phishing attack appears to come from a trusted source, where the perpetrators include personal or company details that they’ve stolen from other compromised computers to lend an air of authenticity to the scam. And some phishing emails even automatically execute hidden code as soon as the email gets opened.

Just Say No

Organizations can throw more technology at the problem but some phishing emails will still evade the filters. Despite repeated warnings, employees continue to open email attachments or click on links from unfamiliar sources. Here are four strategies for securing organizations against phishing attacks:" More:
http://www.csoonline.com/article/3143120/techology-business/4-strategies-for-foiling-phishing-attacks.html

As Analytics Edge points out, international characters are slowly creeping into domain names, in an attempt to allow folks to create URLs in their native language. Some enterprising cyber crooks, however, are using the feature for bad instead of good.

Vitaly Popover is a notorious Russian spammer who has been using a technique to send fake traffic to sites for years who calls his sketchy redirect are “creative marketing.”

So how did he pull off a fake Google? You can see that the leading “G” in the web address looks a little odd, and that’s because it’s not the standard letter, but instead the character Unicode 0262, known as “Latin Letter Small Capital G.”

Something *else* we need to watch out for... More:
http://bgr.com/2016/11/21/fake-google-vitaly-popov-scam-spam/

Looking for the top names in cybersecurity? Look no further than the Cybersecurity 500 list of the world’s hottest and most innovative cybersecurity companies:
http://www.cybersecurity500.com

The Q4 2016 edition was just published by Cybersecurity Ventures. Going down the list, we take a look at the top five names from a branding and marketing perspective.

Criteria for the top five:

• The name is easy to say, easy to type, and easy to tell others
• The name is memorable
• The name is short, and relevant to what the company does (in this case, cybersecurity)
• The name doubles as a domain name, with a dot com (.com) at the end

Check out name #3!
http://www.informationsecuritybuzz.com/articles/top-five-names-cybersecurity/

In January, Motherboard reported on the FBI's “unprecedented” hacking operation, in which the agency, using a single warrant, deployed malware to over one thousand alleged visitors of a dark web child pornography site. Now, it has emerged that the campaign was actually an order of magnitude larger.

In all, the FBI obtained over 8,000 IP addresses, and hacked computers in 120 different countries, according to a transcript from a recent evidentiary hearing in a related case.

The figures illustrate the largest ever known law enforcement hacking campaign to date, and starkly demonstrate what the future of policing crime on the dark web may look like. This news comes as the US is preparing to usher in changes that would allow magistrate judges to authorize the mass hacking of computers, wherever in the world they may be located.

“We have never, in our nation's history as far as I can tell, seen a warrant so utterly sweeping,” federal public defender Colin Fieman said in a hearing at the end of October, according to the transcript. Fieman is representing several defendants in affected cases. Full story at Motherboard:
http://motherboard.vice.com/read/fbi-hacked-over-8000-computers-in-120-countries-based-on-one-warrant

• MUST SEE: New OK Go's Music Video 'The One Moment' Was Shot In 4.2 Seconds:
  http://www.flixxy.com/ok-gos-music-video-the-one-moment-was-shot-in-4-seconds.htm?utm_source=4

• 10 STUPID Things People Have Done with DRONES!:
  https://www.youtube.com/watch?v=Ik_A8IkISS0

• China’s NextEV says its new electric supercar is the world’s fastest:
  http://www.theverge.com/2016/11/21/13698130/nextev-ep9-electric-supercar-world-fastest?

• Here is an inspirational moment that shows anything is possible with intention and determination. It's less than 3 minutes. Watch the beginning, but the real fun starts about 1:10 in:
  https://www.youtube.com/watch?v=xjejTQdK5OI

• WW2 and Cold War CIPHER MACHINES AND CRYPTOLOGY:
  http://users.telenet.be/d.rijmenants/

• A one-minute romantic comedy about a girl who kisses a frog, who is transformed into a handsome man:
  http://www.flixxy.com/the-frog-prince-romantic-comedy-ad.htm?utm_source=4

• A Swiss airlines Airbus A320 attempts to land sideways in very bad weather:
  http://www.flixxy.com/attempting-to-land-sideways-with-a-very-strong-wind-at-amsterdam-airport.htm?utm_source=4

• Something Is Wrong With This Truck. Just wait for it...
  http://www.flixxy.com/something-is-wrong-with-this-truck.htm?utm_source=4

• Expensive Yachts Crash Compilation. Just like slow moving train wrecks...
  https://www.youtube.com/watch?v=CfKnp4Ize2s

• 5 Hacker-Friendly Search Engines You Must Use:
  https://www.airsassociation.org/services-new/airs-knowledge-network-n/airs-articles/item/17018-5-hacker-friendly-search-engines-you-must-use

• Dancer, teacher and choreographer Ksenia Parkhatskaya dances the Charlston like you've never seen before:
  http://www.flixxy.com/ksenia-parkhatskaya-dancing-the-charlston-honeysuckle-rose.htm?utm_source=4