[ALERT] Ransomware Criminals Infect Thousands With Weird WordPress Hack
You are getting this issue on Monday instead of Tuesday because this alert is time-critical.
An unexpectedly large number of WordPress websites have been mysteriously compromised and are delivering the TeslaCrypt ransomware to unwitting end-users. Antivirus is not catching this yet.
In the last few days, malware researchers from Malwarebytes and other security firms have reported that a massive number of legit WordPress sites have somehow been compromised and are silently redirecting visitors to sites with the Nuclear Exploit Kit. It's not yet clear how the WordPress sites are getting infected, but it is highly likely that there is a new vulnerability that is being exploited in either WP or a very popular WP plugin.
"WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads," Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. "This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit."
5 Things To Do If You Run WordPress:
Patch server operating systems.
Get rid of as many WP plugins as possible and patch the current ones.
Update all your WP instances at the same time to prevent cross-infections.
Lock down all WP instances with a very strong password and the WP 2-factor authentication.
5 Things To Do To Protect Your End-Users:
Keep workstation operating systems and 3rd party apps updated at all times.
Backup your data and keep daily off-site backups. Regularly TEST, TEST, TEST if your restore function actually works. The latter is often overlooked.
Provide end-users with the 64-bit version of Google Chrome if possible.
Run the latest V5.5 of Microsoft's Enhanced Mitigation Experience Toolkit (EMET) on workstations.
Step all users through effective security awareness training.
KnowBe4 used to run on WordPress, but we have moved away because of these types of security issues. I'm inviting you to check out our brand new website (and you are invited for a game).
We hid an Easter Egg and the first 20 people that email me with their snail mail address and the correct URL where the Easter Egg is, get a 20 dollar Starbucks Giftcard. Check out the new site: https://www.knowbe4.com/
Last but not least, we have a super popular whitepaper called the "Ransomware Hostage Rescue Manual". Get the most complete ransomware manual packed with actionable info that you need to have to prevent infections, and what to do when you are hit with ransomware. Download your 20-page rescue manual now!(PDF): https://info.knowbe4.com/ransomware-hostage-rescue-manual-0
Don't Miss The February Live Demo: New School Security Awareness Training
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, February 10 at 2:00 p.m. (EST) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform and see how easy it is to train and phish your users:
Send Simulated Phishing tests to your users and get your Phish-prone percentage.
Roll out Training Campaigns for all users (or groups) with follow-up emails to “nudge” users who are incomplete on the training.
Point-of-failure training auto-enrollment.
NEW Phish Alert Button for Outlook so employees can report phishing attacks.
NEW Advanced Reporting to watch your Phish-prone percentage drop, with great ROI.
"Science cannot solve the ultimate mystery of nature. And that is because, in the last analysis, we ourselves are a part of the mystery that we are trying to solve." - Max Planck - Physicist (1858 - 1947)
"You don't have a soul. You are a Soul. You have a body."- C.S. Lewis
Thanks for reading CyberheistNews
Survey: Average Successful Hack Nets Less Than 15,000 Dollars:
Finally, some real numbers about hackers and how much (or little) money they make.
CSO said: "The majority of cyber attackers are motivated by money, but make less than 15,000 dollars per successful attack, according to a survey of hackers in the U.S., U.K. and Germany released yesterday by the Ponemon Institute.
The hackers, who were promised anonymity, netted, on average, less than 29,000 dollars a year. "In the more established countries, that is not a lot of money," said Scott Simkin, senior threat intelligence manager at Palo Alto Networks, which sponsored the study. "They're making a quarter of what a cybersecurity professional makes."
Seven Security Cultures That Can Help Or Hurt Your Organization
This is a great article by Lance Hayden who asks if you know where your security culture is, because some cultures make the job easier than others.
He wrote: "It's hasn't been that long since my book People-Centric Security hit the shelves, but I'm already hearing "the question" pop up in my conversations. "What's the best security culture?"
There's no one answer. "Good" culture depends on what an organization hopes to achieve. But since most security programs follow a first principle of preventing breaches, I can offer some example cultures that are more or less suited ("good" or "bad" approaches) to meeting that goal.
These lists are not ranked, nor are cultures mutually exclusive. No organization has a single culture, and good ones may coexist with bad ones. What is clear is that some cultures are going to make security program success easier, and some not so much.
We asked a law firm if they were happy campers and they answered us back with this. It has some very good best practices about dealing with malicious emails so I am sharing this with you:
"Yes, we have been using it and are running campaigns this week. It is keeping our staff on their toes. We had a representative come by from our Professional Liability Insurance Carrier to discuss Cyber Security. He was amazed and very pleased that we were as up to date as we are. His stories scared the "c..p" out of the staff.
"Since we are a law firm, we are constantly sending and receiving attachments and links. Our staff has been trained to question everything. We currently have a policy that any attachments coming in via e-mail or CD or memory stick must first be opened on a non-network computer. We have various wireless machines around the office for this purpose. We would rather risk a standalone system than a production machine when opening things that might be legitimate.
"Anything that is received with a link or attachment in our office is forwarded to an e-mail account which is available on non-production network stand-alone computers using our wireless system. They can open legitimate e-mails there to reduce the chance of damage by clicking on a real "bad guy". Web browsing on our production network system has come to a halt and is only allowed on the wireless system devices.
"We use a court filing system called Eflex which is maintained by the court. We spoofed an email using the court's Eflex information and logo to request that they change their passwords with an imbedded (Click Here) link, due to a recent cyber attack on their Eflex system. No one clicked on this attack, and most sent it to suspect@ourdomain.
"At first the staff resented the fact that a trusted IT person, "ME", had spoofed them by sending a IT password change request with Knowbe4 links, 25+% clicked on it. We later had a serious meeting to discuss the threats, which the entire staff are now taking a lot more seriously after seeing the training videos. Now they seem to enjoy catching "bad guys".
"They have caught various real attacks using their new skills! We also know of more than one law firm in our area that has been attacked with Ransomware and lost data, time and credibility. With your software, we have used spear phishing attacks using our current cases. The attacks are generated solely from information that is readily available on the web."
We will continue random phishing to keep everyone aware of the threats." - LM, IT Support
Man Turns Tables On Scammers [FUN]
Seth was weary of the calls from bogus Windows support technicians, and decided to, if not get even, at least give them a taste of their own medicine.
"I was really tired [of the calls], and I really hate computer scammers," said Seth, whose last name Computerworld withheld for privacy reasons. "I got fed up."
Like millions of others, Seth had been on the receiving end of scammers' phone calls, who rang up and told him that they were with "Microsoft support" or "Windows support," then proceeded to claim that they had detected malware on his machine.