CyberheistNews Vol 7 #14 Scam of the Week: The Evil Airline Phishing Attack

CyberheistNews Vol 7 #14
Scam of the Week: The Evil Airline Phishing Attack

Our friends at Barracuda run their Email Threat Scanner over hundreds of thousands of customer mailboxes and discovered a highly effective phishing attack that tricks a whopping 90% of the victims. You need to tell your users about this right away.

This evil airline phishing attack combines all "criminal best-practices" to steal credentials and drop malware on disk which is used to then further hack into your network.

The campaign targets companies that deal with frequent shipping of goods or employee travel, for instance logistics, shipping, or manufacturing, but almost any organization has people that frequently visit customers or business partners.

The phishing attack targets these employees, and the attackers do quite a bit of research before sending the phishing emails. The messages are constructed with subject lines and bodies that include destinations, airlines, and other details that are specific to each victim, helping them appear authentic. Here is an example subject line:

Fwd: United Airlines: Confirmation – Flight to Tokyo – 3,543.30 Dollars

“After getting the employee to open the email, the second tool employed by the attacker is an advanced persistent threat embedded in an email attachment. The attachment, usually a flight confirmation or receipt, is typically formatted as a PDF or DOCX document. In this attack, the malware will be executed upon the opening of the document,” Asaf Cidon, vice president of content security services at Barracuda, said in a post explaining the attacks.

To start with, send this to all employees, no matter if they travel or not. You're welcome to copy/paste/edit:

"There is a new spin on an existing phishing scam you need to be aware of. Bad guys are doing research on you personally using social media and find out where and when you (might) travel for business. Next, they craft an email especially for you with an airline reservation or receipt that looks just like the real thing, sent with a spoofed "From" email address that also looks legit.

"Sometimes, they even have links in this email that go to a website that looks identical to the real airline, but it is fake. They try to do two things: 1) try to steal your company username and password, and 2) try to trick you into opening the attachment which could be a PDF or DOCX. If you click on the link or open the attachment, your workstation will possibly get infected with malware that allows the bad guys to hack into our network.

Remember, if you want to check any airline reservations or flight status, open your browser and type the website name in the address bar or use a bookmark that you yourself set earlier. Do not click on links in emails to go to websites. And as always.... Think before You Click!"

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman

Sometimes All It Takes Is an Old-Fashioned Spoofed Email Address

CEO fraud, aka Business Email Compromise (BEC), is skyrocketing. Proofpoint recently conducted research into these types of attacks across more than 5,000 enterprise customers. Their research shows a clear acceleration in attack sophistication and volume.

CEO fraud attacks are spoofed emails that have no malware and bypass security layers which would detect and block malicious payloads - including URLs and attachments - and trick people into sending money or other critical information like W-2 tax forms to the cybercriminal. CEO fraud looks no different than any legitimate business email communication and attackers are successfully targeting the people within organizations by constantly shifting their tactics.

Here’s what Proofpoint's global threat intelligence team uncovered, (note they call them BEC attacks):

Fraudsters are Targeting Organizations of All Sizes

"With the rise of impostor email attacks, most organizations will find themselves in the crosshairs of a BEC attack. BEC attacks increased by 45% during the last three months of 2016 compared to the prior three months, and 75% of Proofpoint customers experienced at least one attempted attack during that time.

These targeted threats are directed at companies of all sizes and in all geographic locations. And while no industry is immune, manufacturing, retail, and technology organizations are generally targeted more frequently as cybercriminals look to take advantage of complex supply chains and SaaS infrastructures that are commonly leveraged in these industries.

Exploiting the Right People

"Through social engineering, fraudsters can identify and target specific individuals based on the information or funds they’re looking to steal. Initially, BEC attackers simply spoofed the CEO-to-CFO relationship, but there has been a clear shift to target victims deeper within organizations.

Criminals are impersonating CEOs and other executives to trick various employee groups such as accounts payable for wire transfer fraud, human resources for confidential information, and engineering for intellectual property.

And with 70% of BEC message subject line families including terms such as "urgent, payment, and request,” people are being tricked into these scams through a false sense of urgency."

Impostor Email Techniques: Domain Spoofing Soars

Domain-spoofing makes up nearly two-thirds of all BEC attacks and is the most common form of impostor email. These threats make it look like the message is coming from a trusted email domain, when in fact it’s not. Dialogues may then be continued via a reply-to redirect. Display name spoofing is also prevalent – about 37% of these attacks – and changes the visual queue of the “header from” line within the message. This tricks people into thinking the email is from a legitimate sender.

Lookalike domain spoofing (changing out numbers and letters within the domain name to mimic a legitimate domain) and business partner spoofing (spoofing trusted partners’ domains) are also common forms of BEC attacks.

Proofpoint states that they have excellent protection against this, and we believe them. Nothing is perfect though, and you need to step all employees through new-school security awareness training in any case. Here is Proofpoint's InfoGraphic:

No-Charge Domain Spoof Test

Can hackers spoof an email address of your own domain?

Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they can, penetrating your network is like taking candy from a baby.

Would you like to know if hackers can spoof your domain? KnowBe4 can help you find out if this is the case with our complimentary Domain Spoof Test. It's quick, easy and often a shocking discovery. We send you one email, "from you to you" - if it arrives in your inbox you know you have a problem. Find out now if your email server is configured correctly, 82% are not! Get stated here:
Don’t Miss the April Live Demo: Simulated Phishing and Awareness Training

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, April 12, 2017, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of KnowBe4's Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy (and fun) it is to train and phish your users:
    • NEW Social Engineering Indicators patent-pending technology, turns every simulated phishing email into a tool IT can use to instantly train employees.
    • NEW Access to the world's largest library of awareness training content through our innovative Module Store.
    • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
    • Active Directory Integration allows you to easily upload, sync and manage users, set-it-and-forget-it.

    • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 9,000+ organizations have mobilized their end-users as their last line of defense.

Register Now:

Warm Regards,
Stu Sjouwerman

Quotes of the Week
"One of the most beautiful qualities of true friendship is to understand and to be understood."
- Lucius Annaeus Seneca (5 BC - 65 AD)

"A real friend is one who walks in when the rest of the world walks out."
- Walter Winchell (1897 - 1972)

Thanks for reading CyberheistNews
Security News
Phishing Your Employees for Schooling & Security

Excellent article at DarkReading:

Your education program isn't complete until you test your users with fake phishing emails. Imagine this fictional scenario: A student, hoping to become a surgeon, attends hours of medical courses. She never misses a class, always listens, and takes copious notes. Finally, after receiving the years of training necessary, the student receives her medical degree having never taken a test. Would you let this surgeon operate on you?

I sure hope not! Testing is a crucial part of any form of education, for both teachers and students.

That's why I believe your phishing education program isn't complete until you phish your own company's tank. By that, I mean sending fake (but realistic) phishing emails to all your users to see if they fall for them. There are plenty of tools and services that can do this for you. To me, this is the real test of your phishing and user awareness security training. More:
86% Rise in 2016 Data Breaches Led to 1.4 Billion Records Compromised

2016 was the year of the Mega Breach, but we cannot accept data breaches as the new normal and just compliance isn’t enough to meet cyber threats, let's look at the numbers for a moment.

More than 1.4 billion data records are estimated to have been compromised in 2016 as a direct result of data breaches, an 86% increase compared to 2015, according to a new Gemalto’s Breach Level report.

The leading type of data breach that accounted for 59 percent of all reports related to identity theft, but 52 percent of all data breaches in 2016 did not disclose the number of records that were potentially compromised.

While more than 7 billion data records are estimated to have been exposed since 2013, it’s estimated that an average of 44 records are compromised every second.

"Knowing exactly where their data resides and who has access to it will help enterprises outline security strategies based on data categories that make the most sense for their organizations. Encryption and authentication are no longer 'best practices' but necessities,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto.

“This is especially true with new and updated government mandates like the upcoming General Data Protection Regulation (GDPR) in Europe, U.S state-based and APAC country-based breach disclosure laws. But it's also about protecting your business' data integrity, so the right decisions can be made based on accurate information, therefore protecting your reputation and your profits."

The top three most affected industry verticals affected seem to involve healthcare (27.5 percent), government (15 percent), and retail (12 percent). The most affected vertical in 2016 seems to have been the technology industry (28.4 percent), as not only the number of breaches spiked by 54.9 percent, but the number of records stolen also increased by 277.5% compared to 2015, reaching 391.6 million records breached in 2016 alone. More at the Bitdefender Blog:
SecureWorks Exposes Phishing Russian Hacker Gang APT28

Atlanta-based SecureWorks has a Counter Threat Unit which has been closely watching the Russian hacker gang APT28 over the last few years and released brand new research. This group of criminal hackers is also known as Pawn Storm, Sofacy, Strontium, Fancy Bear, and SecureWorks calls them "IRON TWILIGHT".

Their researchers state it is highly likely they are supported by the Russian Government, specifically the GRU which is the Russian military intelligence arm, the counterpart of the FSB (former KGB). APT28 "active measures" were trying to influence U.S. presidential elections and at the moment try to do the same thing in France and Germany. The whole story with attack vectors, their hacking toolkit and mitigation suggestions over at the KnowBe4 Blog:
Gigabyte Firmware Flaws Allow the Installation of Ransomware

Now, here is an interesting one. Gigabyte BRIX are very small computers, similar to Intel NUCs, that can be used to replace those bulky desktop towers. I am using Intel NUCs myself at the house and the office.

Well, these small devices have no hard disk and everything lives in different types of memory. At the BlackHat Asia 2017 security conference, researchers from cyber-security firm Cylance disclosed two vulnerabilities in the firmware of Gigabyte devices, which allow an attacker to write malicious content to the UEFI firmware.

Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer's firmware to its operating system (OS). UEFI is expected to eventually replace BIOS.

Major FAIL on the part of Gigabyte who did not implement write-protection on their UEFI, and neither a system that cryptographically signs their firmware files.

During their presentation, researchers installed a proof-of-concept UEFI ransomware, preventing the BRIX devices from booting, but researchers say the same flaws can be used to plant rootkits that allow attackers to persist malware for years. Patches are being readied, and if you have Gigabyte devices include GB-BSi7H-6500 (firmware version vF6), and GB-BXi7-5775 (firmware version vF2) in your network, read this:

Otherwise, keep track of firmware updates on any other diskless devices you run, because this is something you will see more of.
Email Customers Are Sending Us

"I’m sure this is nothing new, but I thought it was worth mentioning.

"I just received a phone call from a man who simply introduced himself as “Sam” from the IT department. He had a thick Indian accent which was the first red flag as I have spoken with most of the guys in our IT dept (in Dallas) and know the only ones with accents are Hispanic. In any case, I wanted to see where this was going…

"He claimed that they needed to update our system and asked if I could get in front of a computer. He then put me on a short hold after which he returned to the line with another man who was to “help me” through the update. Red flag number two was the terrible connection on the line and the lack of introduction from “IT guy number 2.” He just started right in on what I needed to do. I asked him where he was calling from and he said, “West Palm.”

"Red flag number 3, again, as our IT dept is based out of Dallas. I asked why I needed to update through a 3rd party company as he was obviously not with ours and he said that it was because they did some work on our system last year. When I asked WHOSE system he worked on, the line filled with static and POOF - disconnected.

"I don’t know how far they were going with this, and a part of me was interested in what exactly they were after. In any case, I wasn’t biting.

"Appreciate you guys keeping us informed on the latest tricks."

- A.C. Director of IT
Other Interesting News Items This Week

We often run into articles that may be good ammo to support budget requests, but we cannot cover them all. Here are this week's possibly useful articles:

• CIO Insight Slide Show: "Malware Declines, but Ransomware Soars"

• How ransomware can flatline healthcare organizations. Connected healthcare systems today are collecting huge amounts of data which is making them attractive targets for cybercrime:

• Cerber Ransomware Tries to Evade Machine Learning Security:

• Blank slate spam campaign spreads Cerber ransomware

• Some very interesting data on the costs which ties back to how SME's go out of business after a breach:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews