CyberheistNews Vol 7 #13 Who Were the Two Big US Tech Companies That Lost 100 Million Dollars in CEO Fraud?



CyberheistNews | KnowBe4

CyberheistNews Vol 7 #13
Who Were the Two Big US Tech Companies That Lost 100 Million Dollars in CEO Fraud?

In an update on an earlier issue in April 2016, more detail surfaced about this massive CEO fraud spear phishing attack that tricked 2 American tech companies in wiring a whopping 100 million to bank accounts controlled by a crafty scammer in Lithuania.

The press was all over this like white on rice, not mentioning that it initially was discovered in April of last year. The big mystery is exactly which 2 companies fell victim, because the court documents do not reveal the names. Who knows which companies were involved? Let's crowdsource this mystery, if you know for certain, email the information anonymously to feedback@knowbe4.com

I'm quoting a snippet from The Verge here: "According to a recent indictment from the U.S. Department of Justice, a 48-year-old Lithuanian scammer named Evaldas Rimasauskas managed to trick two American technology companies into wiring him 100 million dollars. He was able to perform this feat "by masquerading as a prominent Asian hardware manufacturer," reports The Verge, citing court documents, "and tricking employees into depositing tens of millions of dollars into bank accounts in Latvia, Cyprus, and numerous other countries."

From the report:

"What makes this remarkable is not Rimasauskas' particular phishing scam, which sounds rather standard in the grand scheme of wire fraud and cybersecurity exploits. Rather, it's the amount of money he managed to score and the industry from which he stole it. The indictment specifically describes the companies in vague terms.

The first company is "multinational technology company, specializing in internet-related services and products, with headquarters in the United States," the documents read. The second company is a "multinational corporation providing online social media and networking services." Both apparently worked with the same "Asia-based manufacturer of computer hardware," a supplier that the documents indicate was founded some time in the late '80s."

The court documents don't reveal the names of the two companies

The court documents don't reveal the names of the two companies. It's fun to speculate though. Facebook, Apple, Cisco and HP come to mind. Here is the full affidavit at Scribd:
https://www.scribd.com/document/342639731/Rimasauskas-Affidavit

And to know that all this could have been prevented with effective security awareness training! Training your employees to always keep security top of mind is one of the single most effective preventative measures against CEO fraud.

Any kind of emails regarding financial transactions should be looked at closely before any action is taken. Most fraudulent emails like this create a sense of urgency. A simple phone call could be what keeps your company out of headlines, (or you can try to seal court documents, which will ultimately fail).
Chinese Hackers Use Fake Cellphone Tower to Spread Android Banking Trojan Worm

Check Point Software blogged about Chinese hackers who have taken smishing to the next level, using a rogue cell phone tower to distribute Android banking malware via spoofed SMS messages.

Security researchers at Check Point discovered that Chinese hackers are using fake base transceiver stations (BTS towers) to distribute "Swearing Trojan," an Android banking malware.

Smishing — phishing attacks sent via SMS — is a type of attack where bad guys use spoofing to social engineer mobile users into downloading a malware app onto their smartphones or trick victims into giving out sensitive information. The maximum range of a BTS antenna is between 10-22 miles, so this technique is very sophisticated and successful in targeted attacks.

This is the first-ever reported real-world case

This is the first-ever reported real-world case in which the bad guys used BTS — a piece of equipment usually installed on cellular telephone towers — to spread malware.

The phishing SMS, which masquerades itself as the one coming from Chinese telecom service providers China Mobile and China Unicom, contains very convincing text with a link to download malicious Android APK. Since Google Play Store is blocked in China, the SMS easily tricks users into installing the APK from an untrusted source.

"Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware," Check Point said in their blog post.

Once installed, the Swearing malware distributes itself by sending automated phishing SMSes to a victim's contacts.

No Command & Control Servers

Noteworthy is that to avoid detection, the Swearing trojan doesn't connect to a C&C server but uses SMS or emails to send stolen data back to the bad guys. Check Point said: "This provides the malware with good cover for its communications and hinders attempts to trace any malicious activity."

Hackers Get Smarter by the Month Social Engineering Your Users

This is a great example why you need to constantly train your users and keep them on their toes with security top of mind. Our training module Mobile Device Security explains how users can arm themselves against attacks like this.

Want to check out our great security awareness training content?

It's easy. You can now get access to the ModStore Preview Portal to see our full library security awareness training content; including 300+ interactive modules, videos, games, posters and newsletters. There is no cost. Get started here:
https://info.knowbe4.com/security-awareness-training-preview-chn
Does DoubleAgent Turn Antivirus Into Malware? We Are Calling BS on That.

It was all over the press. Initially reported by Bleepingcomputer and picked up by sites like Endgadget, they all went gaga over a new technique that allows the bad guys to take over your computer by "turning your antivirus into malware." Here is an example snippet:

"Security researchers from Cybellum have discovered another technique cyber criminals can use to take over your computer. The zero-day attack called DoubleAgent exploits Microsoft's Application Verifier tool, which developers use to detect and fix bugs in their apps.

Developers have to load a DLL into their applications to check them, and Cybellum's researchers found that hackers can use the tool to inject their own DLLs instead of the one Microsoft provides.

In fact, the team proved that the technique can be used to hijack anti-virus applications and turn them into malware. The corrupted app can then be used to take control of computers running any version of Windows from XP to the latest release of Windows 10."

And then they tested some AV apps and sure enough a bunch of them could be exploited this way, but any app on the machine could be treated that way. Some AV companies issued patches and said they had fixed the problem. Some news sites even had a video showing how DoubleAgent "can turn an anti-virus app into a ransomware that encrypts files until you pay up." Yeah, sure.

We're Calling BS

The non-technical press is missing that you need to make registry changes and have admin access to the machine to begin with, so this whole code injection technique is cute, but nothing to write home about.

The bad guy already owns the machine! This story is only about using Application Verifier in a post-breach situation. The only AV company that stood their ground was Symantec and they said the right thing:

"After investigating this issue we confirmed that this PoC does not exploit a product vulnerability within Norton Security. It is an attempt to bypass an installed security product and would require physical access to the machine and admin privileges to be successful. We remain committed to protecting our customers and have developed and deployed additional detection and blocking protections to users in the unlikely event they are targeted."

Good for you Symantec.

Warm Regards,
Stu Sjouwerman

Quotes of the Week
"We make a living by what we get, we make a life by what we give." - Winston Churchill

"Kindness in words creates confidence. Kindness in thinking creates profoundness.
Kindness in giving creates love."
- Lao Tzu



Thanks for reading CyberheistNews
Security News
Ransomware Is Skyrocketing, but Where Are All the Breach Reports?

More than 4,000 ransomware attacks occur daily and healthcare is the largest target. However, despite disclosure requirements and the risk of late or no regulatory notification at all, breach reporting simply doesn’t match up.

I found some interesting data in a new survey done by Healthcare IT News and HIMSS Analytics which showed more than half of hospitals were hit with ransomware from April 2015 to April 2016, but breach reporting to the OCR was practically non-existent.

The Office for Civil Rights (OCR) is an organization within the U.S. Department of Health & Human Services (HHS). Under the Health Insurance Portability and Accountability Act (HIPAA), the OCR can levy significant fines to health care providers and their business associates if personal health information is lost or stolen.

Other industries have similar regulatory organizations, and as ransomware attacks have increased, one would expect OCR breach reporting to have increased more or less concurrently, but only nine (!) organizations reported malware or ransomware breaches to OCR in 2016.

"Because ransomware is so common, hospitals aren't reporting them all," said ICIT Senior Fellow James Scott. "And ransomware is just the start for more specific actors to send in another attack and start mapping the system."

Four Reasons Why Breaches Do Not Get Reported

There are four major reasons hospitals don't report breaches, said ICIT's Scott, and clearly this is not true only for hospitals, but for any organization:
    1. To start, there's a fear of the economic impact and liability resulting from having to admit an organization has put thousands or millions of unsuspecting patients at risk for a lifetime of being exploited by criminals.

    2. Further, many employees, from executives to entry-level personnel don't want to admit to administration or to the IT team they fell for a social engineering scam. As a result, these employees don't report their mistake.

    3. Another major issue is that an investigation can disrupt business operations. Not only that, but investigators "poke holes in examined networks and publicize the vulnerable network that, in all likelihood, is already pulsating with scores of adversaries, who have been exfiltrating data all along," Scott said.

    4. "Negative publicity harms reputation and diminishes deniability, thereby making the victim organization more liable in future cyber-incidents," Scott explained. "Nowadays, if a health sector organization is only hit with ransomware, they can consider themselves lucky and perhaps those are the breaches that we hear about."
You have 60 Days to Report

The 60-day timer starts the moment a breach is discovered, which is the first day the covered entity knew about the breach. And it applies to all staff within the organization. For example, when someone at the help desk learns about a breach, the timer starts then – even if it takes a week for the incident to be reported to higher staff, according to Erin Whaley, a partner at Troutman Sanders in Richmond, Virginia.

"However, many healthcare organizations remain non-compliant out of calculated non-compliance (the fine is cheaper than the reporting costs and impact) or out of lack of resources (they cannot afford the technical controls, contractors and other needs to investigate incidents to HHS satisfaction," he added. "Considering that some hospitals are seeing 20 or more ransomware attacks per day, hesitance to report out of fear or reputation loss or lack of resources, is not surprising."

Especially interesting if you are in Healthcare IT, but recommended reading if you are required to report data breaches when ransomware infects your network, and excellent ammo for more IT security budget:
http://www.healthcareitnews.com/news/ransomware-rising-where-are-all-breach-reports

Whitepaper Download: Legal Compliance Through Security Awareness Training

This whitepaper from Michael R. Overly, Esq., CISA, CISSP, CIPP, ISSMP, CRISC, shows you the common threads in compliance laws and regulations.

Did you know that "CIA" means Confidentiality, Integrity, and Availability, and how lawmakers incorporated that language in infosec regulations?

Are you familiar with the concept of Acting “Reasonably” or taking “Appropriate” or “Necessary” measures? Find out how this can keep you from violating compliance laws or regulations. Did you know you are supposed to "scale security measures to reflect the threat"?

We have some examples of the Massachusetts Data Security Law and HIPAA to explain what is required. Download the whitepaper here:
https://info.knowbe4.com/whitepaper-overly-kb4
Vastly Improve Your IT Security in 2 Easy Steps

IT Security Guru Roger Grimes wrote in InfoWorld: "Losing the battle against the bad guys? Keep your software patched and defend against social engineering, and you might start winning a few". And he continued with:

"It’s a rough number, but I’d wager that 99 percent of computer security risk in most organizations can be attributed to two root causes: social engineering and unpatched software.

I’m not talking about pure numbers of success exploits, but overall impact. Many CISOs and threat intelligence analysts have told me that 100 percent of the biggest events at their company involved social engineering. Certainly, bad things enter your environment through other means, which is why we still need to secure our servers, encrypt our disks, and prevent physical intrusions. But in terms of the biggest impact, most organizations can tie those events to two root causes." Grimes talks about nest practices to shore up unpatched software, and then continues with:

Defeat social engineering

"Social engineering comes in all shapes and sizes, from someone calling you on the phone to web or email phishing to trying to get you to reveal a logon credential or run a rogue program (for example, fake tech support). No panacea can prevent all social engineering attempts. But you need to mount a sustained defense.

Start by training users to recognize social engineering attacks. You can create your own educational programs and content or use someone else’s: Internally created content can better address your organization’s specific needs, but it can be poorly done.

Last week, I spoke to a security administrator of a big company who said his co-workers were more likely to click on a phishing email after their training and before. He wasn’t sure what was wrong with their internal training, only that it had a negative correlation and he had the data to prove it.

Luckily, there are lots of fantastic external training companies. My personal favorites are KnowBe4 and PhishMe." Read the article here, excellent data!
http://www.infoworld.com/article/3183125/security/vastly-improve-your-it-security-in-2-easy-steps.html
6 of the Most Effective Social Engineering Techniques

CSO wrote: "Social engineering is the strongest method of attack against the enterprise’s weakest vulnerability, its people. Criminal hackers recognize this fact. In 2015, social engineering became the No. 1 method of attack, according to Proofpoint’s 2016 Human Factor Report.

"These successful social engineering methods often use phishing and malware. But deceptive information assailants have more tools and approaches to draw on than these. That’s why CSO covers six of the most effective social engineering techniques that attackers use both on and off the internet, providing insights into how each one works, what it accomplishes, and the technologies, methods, and policies for detecting and responding to social saboteurs and keeping them at bay.""

Read the article and how to mitigate these threats. No surprise that employee training is one of the important things recommended:
http://www.csoonline.com/article/3181737/social-engineering/6-of-the-most-effective-social-engineering-techniques.html?
Phishing 101 at the School of Hard Knocks

A recent, massive spike in sophisticated and successful phishing attacks is prompting many universities to speed up timetables for deploying mandatory two-factor authentication (2FA) -- requiring a one-time code in addition to a password -- for access to student and faculty services online. This is the story of one university that accelerated plans to require 2FA after witnessing nearly twice as many phishing victims in the first two-and-half months of this year than it saw in all of 2015:
https://krebsonsecurity.com/2017/03/phishing-101-at-the-school-of-hard-knocks/
Short Social Engineering News Roundup

Silicon Valley firm Coupa on March 6 fell victim to a phishing attack that resulted in sensitive details for all of its 2016 employees falling into a fraudster's hands. The company is one of many that have been recently compromised by so-called W-2 attacks, which security experts say can only be reliably prevented by continuing to train their employees properly and regularly testing that training:
http://www.bankinfosecurity.com/silicon-valley-firm-coupa-hit-by-w-2-fraudsters-a-9788
---

WASHINGTON — The Internal Revenue Service, state tax agencies and the tax industry today warned both tax professionals and taxpayers of last-minute phishing email scams, especially those requesting last-minute deposit changes for refunds or account updates. As the 2017 tax filing season winds down to the April 18 deadline, tax-related scams of various sorts are at their peak. The IRS urged both tax professionals and taxpayers to be on guard against suspicious activity:
https://www.irs.gov/uac/newsroom/irs-states-and-tax-industry-warn-of-last-minute-email-scams
---

From industry to industry and country to country, phishing has become an epidemic so widespread that it recently prompted the U.S. Secretary of Homeland Security Jeh Johnson to proclaim it a primary threat to national security, saying: “The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing.”
https://www.infosecurity-magazine.com/opinions/measure-phishing-awareness/
---

More than a year before the February phishing attack that led a San Marcos employee to accidentally leak hundreds of W-2 forms, an assessment identified the city’s lack of cybersecurity training as a vulnerability. The assessment, completed in the fall of 2015 by SHI Security Services, found that the city didn’t have a security awareness training program. The finding was one of a dozen low- and high-risk vulnerabilities listed in a draft version of the report obtained by the American-Statesman and was described as “the easiest to solve.”:
http://www.mystatesman.com/news/local/before-phishing-scam-came-along-report-showed-san-marcos-risk/OimsZkAu4qEpbieCjA0enN/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.



Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews