CyberheistNews Vol 7 #15
New Research: Big Trouble for Americans in Recognizing Phishing Attacks 
I have some excellent ammo for IT Security budget for you here:
A new Pew Research Center survey titled "What the Public Knows About Cybersecurity" tallied responses from 1,055 adults about their understanding of concepts important to online safety and privacy. The results are troublesome.
The Pew Research survey asked 13 questions about cybersecurity. The median score was five correct answers. Just 20 percent answered eight questions correctly. A relatively large percentage of respondents answered "not sure" to questions rather than providing the wrong answer.
Regarding cybersecurity, Americans recognize the need for strong passwords and know that public Wi-Fi hotspots aren't necessarily safe for online banking or e-commerce.
However, they have big trouble in recognizing phishing schemes or determining if the web site where they're entering credit card information is encrypted or not. These mixed results highlight that employee awareness of staying secure online remains a weak link in blocking cyberthreats.
"It is probably our No. 1 concern and No. 1 vulnerability," said Retired Rear Adm. Ken Slaght, head of the San Diego Cyber Center of Excellence, a trade group for the region's cybersecurity industry. "These attackers keep upping their game. It has gone well beyond the jumbled, everything misspelled email."
Other findings in the Pew survey:
“The human element is important in safeguarding a firm against cyberattack, since it’s both a first line of defense as well as a weak link,” Heidi Shey, a senior analyst at Forrester, told CIO Journal Monday. She said security awareness training isn’t always effective, since it’s often conducted once a year as a compliance issue and involves lists of dos and don’ts.
“Successful awareness efforts are focused on enabling behavioral change, and typically customized and specific to an organization, its workforce, and relevant risks.” Here is the full article in the WSJ and I recommend sending this link to your C-level execs:
http://blogs.wsj.com/cio/2017/04/03/employees-weak-link-in-cybersecurity-efforts-analysts/
The above points are clear indicators that all organizations need to start or continue their awareness training efforts. As an aside, we prefer to say that instead of calling awareness training "first line", it's rather your last line of defense, because your filters never catch all of it.
I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users which frankly is fun to do!
If you don't, the bad guys will. Get a quote and you will be pleasantly surprised.
https://info.knowbe4.com/kmsat_get_a_quote_now-chn
I have some excellent ammo for IT Security budget for you here:
A new Pew Research Center survey titled "What the Public Knows About Cybersecurity" tallied responses from 1,055 adults about their understanding of concepts important to online safety and privacy. The results are troublesome.
The Pew Research survey asked 13 questions about cybersecurity. The median score was five correct answers. Just 20 percent answered eight questions correctly. A relatively large percentage of respondents answered "not sure" to questions rather than providing the wrong answer.
Regarding cybersecurity, Americans recognize the need for strong passwords and know that public Wi-Fi hotspots aren't necessarily safe for online banking or e-commerce.
However, they have big trouble in recognizing phishing schemes or determining if the web site where they're entering credit card information is encrypted or not. These mixed results highlight that employee awareness of staying secure online remains a weak link in blocking cyberthreats.
"It is probably our No. 1 concern and No. 1 vulnerability," said Retired Rear Adm. Ken Slaght, head of the San Diego Cyber Center of Excellence, a trade group for the region's cybersecurity industry. "These attackers keep upping their game. It has gone well beyond the jumbled, everything misspelled email."
Other findings in the Pew survey:
- 75 percent of participants identified the most secure password from a list of four options.
- 52 percent of people knew that turning off the GPS function on smartphones does not prevent all tracking. Mobile phones can be tracked via cell towers or Wi-Fi networks.
- 39 percent were aware that Internet Service Providers can still see the websites their customer visit even when they're using "private browsing" on their search engines.
- 10 percent were able to identify one example of multi-factor authentication when presented with four images of online log-in screens.
“The human element is important in safeguarding a firm against cyberattack, since it’s both a first line of defense as well as a weak link,” Heidi Shey, a senior analyst at Forrester, told CIO Journal Monday. She said security awareness training isn’t always effective, since it’s often conducted once a year as a compliance issue and involves lists of dos and don’ts.
“Successful awareness efforts are focused on enabling behavioral change, and typically customized and specific to an organization, its workforce, and relevant risks.” Here is the full article in the WSJ and I recommend sending this link to your C-level execs:
http://blogs.wsj.com/cio/2017/04/03/employees-weak-link-in-cybersecurity-efforts-analysts/
The above points are clear indicators that all organizations need to start or continue their awareness training efforts. As an aside, we prefer to say that instead of calling awareness training "first line", it's rather your last line of defense, because your filters never catch all of it.
I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users which frankly is fun to do!
If you don't, the bad guys will. Get a quote and you will be pleasantly surprised.
https://info.knowbe4.com/kmsat_get_a_quote_now-chn
Ransomware Causes Pediatric Group Data Breach, 55,000 Patient Records
A four-site pediatric practice serving the San Antonio metropolitan area was hit with a CrySiS ransomware attack, and is offering 55,447 patients identity and credit protection services from Equifax Personal Solutions.
The practice became aware of the attack on February 6, when an employee discovered malware that began encrypting servers. The encryption was slowed down by existing antivirus software, but had penetrated the network, and the practice’s IT vendor took all servers and computers offline.
CrySiS is targeting US healthcare orgs, using brute force attacks via Remote Desktop Protocol (RDP). Here is a recent blog post with best practices to prevent these types of RDP attacks:
https://blog.knowbe4.com/samas-ransomware-deletes-your-veeam-backups
A four-site pediatric practice serving the San Antonio metropolitan area was hit with a CrySiS ransomware attack, and is offering 55,447 patients identity and credit protection services from Equifax Personal Solutions.
The practice became aware of the attack on February 6, when an employee discovered malware that began encrypting servers. The encryption was slowed down by existing antivirus software, but had penetrated the network, and the practice’s IT vendor took all servers and computers offline.
CrySiS is targeting US healthcare orgs, using brute force attacks via Remote Desktop Protocol (RDP). Here is a recent blog post with best practices to prevent these types of RDP attacks:
https://blog.knowbe4.com/samas-ransomware-deletes-your-veeam-backups
Hacking Compromised Brazilian Bank Top to Bottom
Now here is an IT hacking horror story for you!
Kaspersky's blog tells the tale of a bank in Brazil who lost their full online presence and had all of its 36 domains, corporate email and DNS seized by a criminal hacker group who then used the websites to drop malware on the unsuspecting bank customers. Ouch.
Once Kaspersky Lab researchers Fabio Assolini and Dmitry Bestuzhev dug under the covers of this attack, they discovered that the attackers had extended their operations to nine other institutions worldwide.
At the outset, this looked like a site hijacking, but Assolini and Bestuzhev quickly discovered that much more was happening. The caper was uncovered last Oct. 22 when it was apparent the bank’s website was serving malware to each of its visitors. The malware was a Java file tucked inside a .zip archive loaded into the index file.
The depths of the compromise quickly became apparent. All 36 bank domains were under the attackers’ control, including the online, mobile, point-of-sale, financing and acquisitions, and more. Digging deeper, the researchers found the homepage was displaying a valid SSL certificate from Let’s Encrypt, a no charge Certificate Authority.
The researchers also reported finding phishing pages loaded onto bank domains trying to induce victims to enter payment card information.
“Imagine if one employee is phished and the attackers had access to the DNS tables, man that would be very bad,” Bestuzhev said. “If DNS was under control of the criminals, you’re screwed.”
The researchers stressed the importance of securing the DNS infrastructure and the need to take advantage of features such as two-factor authentication, which most registrars offer, but few customers use, the researchers said. “That’s exactly what happened with this bank,” Assolini said.
Their line of thought then follows that the cybercriminals used a spearphishing attack targeting an employee who had access to the banks DNS tables using the name of the certificate authority. Even IT people can get caught out now and then, and need advanced security awareness training to keep them alert.
Here is the whole story at Threatpost. Interesting reading to say the least.
However, first go to your domain registrar and turn on 2-factor authentication now.
https://threatpost.com/lessons-from-top-to-bottom-compromise-of-brazilian-bank/124770/
Now here is an IT hacking horror story for you!
Kaspersky's blog tells the tale of a bank in Brazil who lost their full online presence and had all of its 36 domains, corporate email and DNS seized by a criminal hacker group who then used the websites to drop malware on the unsuspecting bank customers. Ouch.
Once Kaspersky Lab researchers Fabio Assolini and Dmitry Bestuzhev dug under the covers of this attack, they discovered that the attackers had extended their operations to nine other institutions worldwide.
At the outset, this looked like a site hijacking, but Assolini and Bestuzhev quickly discovered that much more was happening. The caper was uncovered last Oct. 22 when it was apparent the bank’s website was serving malware to each of its visitors. The malware was a Java file tucked inside a .zip archive loaded into the index file.
The depths of the compromise quickly became apparent. All 36 bank domains were under the attackers’ control, including the online, mobile, point-of-sale, financing and acquisitions, and more. Digging deeper, the researchers found the homepage was displaying a valid SSL certificate from Let’s Encrypt, a no charge Certificate Authority.
The researchers also reported finding phishing pages loaded onto bank domains trying to induce victims to enter payment card information.
“Imagine if one employee is phished and the attackers had access to the DNS tables, man that would be very bad,” Bestuzhev said. “If DNS was under control of the criminals, you’re screwed.”
The researchers stressed the importance of securing the DNS infrastructure and the need to take advantage of features such as two-factor authentication, which most registrars offer, but few customers use, the researchers said. “That’s exactly what happened with this bank,” Assolini said.
Their line of thought then follows that the cybercriminals used a spearphishing attack targeting an employee who had access to the banks DNS tables using the name of the certificate authority. Even IT people can get caught out now and then, and need advanced security awareness training to keep them alert.
Here is the whole story at Threatpost. Interesting reading to say the least.
However, first go to your domain registrar and turn on 2-factor authentication now.
https://threatpost.com/lessons-from-top-to-bottom-compromise-of-brazilian-bank/124770/
Don’t Miss the April Live Demo: Simulated Phishing and Awareness Training
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, April 12, 2017, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of KnowBe4's Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy (and fun) it is to train and phish your users:
Register Now:
https://attendee.gotowebinar.com/register/1382203046017298946
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, April 12, 2017, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of KnowBe4's Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy (and fun) it is to train and phish your users:
- NEW Social Engineering Indicators patent-pending technology, turns every simulated phishing email into a tool IT can use to instantly train employees.
- NEW Access to the world's largest library of awareness training content through our innovative Module Store.
- Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
- Active Directory Integration allows you to easily upload, sync and manage users, set-it-and-forget-it.
- Reporting to watch your Phish-prone percentage drop, with great ROI.
Register Now:
https://attendee.gotowebinar.com/register/1382203046017298946
Warm Regards,
Stu Sjouwerman
Quotes of the Week
"If you do not change direction, you may end up where you are heading."
- Lao Tzu - Philosopher (604 - 531 BC)
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction." - E. F. Schumacher
Thanks for reading CyberheistNews
- Lao Tzu - Philosopher (604 - 531 BC)
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction." - E. F. Schumacher
Thanks for reading CyberheistNews
Security News
Can You Be Spoofed? Find out for a Chance to Win.
Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a "CEO fraud" spear phishing attack on your organization.
KnowBe4 can help you find out if this is the case with our complimentary Domain Spoof Test and enter you to win an awesome Stormtrooper Helmet Prop Replica at the same time.
Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless steel lock-pick business card!
To enter just go here fill out the form, it's quick, easy and often a shocking discovery. Yep, it’s that easy.
https://info.knowbe4.com/dst-sweepstake-042017
Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a "CEO fraud" spear phishing attack on your organization.
KnowBe4 can help you find out if this is the case with our complimentary Domain Spoof Test and enter you to win an awesome Stormtrooper Helmet Prop Replica at the same time.
Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless steel lock-pick business card!
To enter just go here fill out the form, it's quick, easy and often a shocking discovery. Yep, it’s that easy.
https://info.knowbe4.com/dst-sweepstake-042017
Data Breaches Take 250 Days to Detect but Data Gets Stolen in 25 Hours
Good story at Tripwire's blog, with suggestions what to do about it:
“Data breaches take an average of 250-300 days to detect—if they’re detected at all—but most attackers tell us they can break in and steal the target data within 24 hours,” said Chris Pogue, Nuix’s chief information security officer and a co-author of the Nuix Black Report. “Organizations need to get much better at detecting and remediating breaches using a combination of people and technology.”
Just like cyber security professionals are constantly looking for ways to develop better and more secure software programs, hackers are always staying on top of the newest updates to overcome the latest defenses. To understand the importance of cyber security and how to stay ahead of hackers, it can be helpful to look at things from the opposite point of view—a hacker trying to get into your business’s system.
A recent Nuix Black Report surveyed 70 of the world’s best professional hackers and found that 88 percent of hackers can break into their desired system and get through cyber security defenses in 12 hours or less. It only takes an additional 12 hours for 81 percent of hackers to find and take valuable data:
https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hackers-perspective-cyber-security/
Good story at Tripwire's blog, with suggestions what to do about it:
“Data breaches take an average of 250-300 days to detect—if they’re detected at all—but most attackers tell us they can break in and steal the target data within 24 hours,” said Chris Pogue, Nuix’s chief information security officer and a co-author of the Nuix Black Report. “Organizations need to get much better at detecting and remediating breaches using a combination of people and technology.”
Just like cyber security professionals are constantly looking for ways to develop better and more secure software programs, hackers are always staying on top of the newest updates to overcome the latest defenses. To understand the importance of cyber security and how to stay ahead of hackers, it can be helpful to look at things from the opposite point of view—a hacker trying to get into your business’s system.
A recent Nuix Black Report surveyed 70 of the world’s best professional hackers and found that 88 percent of hackers can break into their desired system and get through cyber security defenses in 12 hours or less. It only takes an additional 12 hours for 81 percent of hackers to find and take valuable data:
https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hackers-perspective-cyber-security/
New SANS April Issue of OUCH! "Passphrases"
SANS said: "We are excited to announce the April issue of OUCH! This month, led by Guest Editor My-Ngoc Nguyen, we focus on Passphrases. Passwords have traditionally been confusing, intimidating and overwhelming for most people. It is where security often fails because it's too hard. In this newsletter we explain passphrases, strong passwords that are easy to both remember and type. Share OUCH! with your family, friends, and coworkers.""
English Version (PDF)
http://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201704_en.pdf
SANS said: "We are excited to announce the April issue of OUCH! This month, led by Guest Editor My-Ngoc Nguyen, we focus on Passphrases. Passwords have traditionally been confusing, intimidating and overwhelming for most people. It is where security often fails because it's too hard. In this newsletter we explain passphrases, strong passwords that are easy to both remember and type. Share OUCH! with your family, friends, and coworkers.""
English Version (PDF)
http://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201704_en.pdf
Scammers Phishing for Financial Credentials on Twitter
Steve Ragan at CSO wrote: "Scammers are using Twitter as a vehicle to target people looking for customer support or asking general questions. They interject themselves into legitimate discussions, offering friendly chatter and a link that directs the target to a Phishing page designed to harvest credentials.
On Twitter, someone – or perhaps a group of people – are following support accounts for large financial institutions and watching their interactions with customers. Depending on the question asked, the scammers will respond to the customer (usually after the official account has) and direct them to take 'additional' measures.
Social Engineering is a powerful tool, and given the right construct it can be hard to detect or defend against. The recent phishing attempts were brought to Salted Hash's attention, after they were mentioned by Sam Stepanyan on Twitter. It didn't take long to fine active examples."
Here are the examples, all of them. Interesting reading, and we have warned against this before:
http://www.csoonline.com/article/3187832/security/scammers-phishing-for-financial-credentials-on-twitter.html?
Steve Ragan at CSO wrote: "Scammers are using Twitter as a vehicle to target people looking for customer support or asking general questions. They interject themselves into legitimate discussions, offering friendly chatter and a link that directs the target to a Phishing page designed to harvest credentials.
On Twitter, someone – or perhaps a group of people – are following support accounts for large financial institutions and watching their interactions with customers. Depending on the question asked, the scammers will respond to the customer (usually after the official account has) and direct them to take 'additional' measures.
Social Engineering is a powerful tool, and given the right construct it can be hard to detect or defend against. The recent phishing attempts were brought to Salted Hash's attention, after they were mentioned by Sam Stepanyan on Twitter. It didn't take long to fine active examples."
Here are the examples, all of them. Interesting reading, and we have warned against this before:
http://www.csoonline.com/article/3187832/security/scammers-phishing-for-financial-credentials-on-twitter.html?
Ask the Thought Leaders: What’s the Future of Cybersecurity?
As we become increasingly dependent on technology in our daily lives we open ourselves up to an entirely new kind of threat, cyberattacks.
While in the late 90s and early 2000s cybersecurity went as far as your company’s IT guy, today it’s a multi-billion dollar global industry that is expected to top 1 trillion dollars by 2020. Whether it’s an email scam targeted at individuals or corporate data theft affecting millions of people at one time, the rise in cyberattacks and their increasing reach has made cybersecurity a very hot topic.
When we started thinking about cybersecurity and where it’s heading, one of the first issues brought up was the internet of things. Someone tampering with your computer while you’re surfing the web is an inconvenience, but what about someone hacking into your car while you’re driving down the highway?
So, in an effort to ease our fears and gain a better perspective we decided to ask a group of cybersecurity experts…
What’s the future of cybersecurity? It was not an easy question to answer. Here’s what they had to say, and you will find me there too:
http://www.futureofeverything.io/2017/04/07/future-of-cybersecurity/
As we become increasingly dependent on technology in our daily lives we open ourselves up to an entirely new kind of threat, cyberattacks.
While in the late 90s and early 2000s cybersecurity went as far as your company’s IT guy, today it’s a multi-billion dollar global industry that is expected to top 1 trillion dollars by 2020. Whether it’s an email scam targeted at individuals or corporate data theft affecting millions of people at one time, the rise in cyberattacks and their increasing reach has made cybersecurity a very hot topic.
When we started thinking about cybersecurity and where it’s heading, one of the first issues brought up was the internet of things. Someone tampering with your computer while you’re surfing the web is an inconvenience, but what about someone hacking into your car while you’re driving down the highway?
So, in an effort to ease our fears and gain a better perspective we decided to ask a group of cybersecurity experts…
What’s the future of cybersecurity? It was not an easy question to answer. Here’s what they had to say, and you will find me there too:
http://www.futureofeverything.io/2017/04/07/future-of-cybersecurity/
Other Interesting News Items This Week
We often run into articles that may be good ammo to support budget requests, but we cannot cover them all. Here are this week's possibly useful articles:
• “iCloud Mail” phishing emails doing rounds:
https://www.helpnetsecurity.com/2017/04/06/icloud-mail-phishing/
• Identity Fraud Reached Record High in 2016:
https://darkwebnews.com/dark-web/record-high-identity-fraud/
• No More Ransom — 15 New Ransomware Decryption Tools Available for No Charge:
http://thehackernews.com/2017/04/decrypt-ransomware-files-tool.html
• Chinese APT10 Hacking Group Suspected of Global Campaign Targeting MSPs:
http://threatbrief.com/chinese-apt10-hacking-group-suspected-global-campaign-targeting-msps/
• One New Cyber-threat Discovered Every Three Seconds in Q4:
https://www.infosecurity-magazine.com/news/one-new-cyber-threat-discovered/
• Apache Struts Flaw Used to Deliver Cerber Ransomware:
http://www.securityweek.com/apache-struts-flaw-used-deliver-cerber-ransomware
• Scams Spike As Bitcoin Price Rises:
https://darkwebnews.com/bitcoin/bitcoin-scams-rise/
We often run into articles that may be good ammo to support budget requests, but we cannot cover them all. Here are this week's possibly useful articles:
• “iCloud Mail” phishing emails doing rounds:
https://www.helpnetsecurity.com/2017/04/06/icloud-mail-phishing/
• Identity Fraud Reached Record High in 2016:
https://darkwebnews.com/dark-web/record-high-identity-fraud/
• No More Ransom — 15 New Ransomware Decryption Tools Available for No Charge:
http://thehackernews.com/2017/04/decrypt-ransomware-files-tool.html
• Chinese APT10 Hacking Group Suspected of Global Campaign Targeting MSPs:
http://threatbrief.com/chinese-apt10-hacking-group-suspected-global-campaign-targeting-msps/
• One New Cyber-threat Discovered Every Three Seconds in Q4:
https://www.infosecurity-magazine.com/news/one-new-cyber-threat-discovered/
• Apache Struts Flaw Used to Deliver Cerber Ransomware:
http://www.securityweek.com/apache-struts-flaw-used-deliver-cerber-ransomware
• Scams Spike As Bitcoin Price Rises:
https://darkwebnews.com/bitcoin/bitcoin-scams-rise/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- Magician and comedian Chris Hannibal is proud to perform the second oldest trick in sleight of hand. And he is VERY good!:
http://www.flixxy.com/second-oldest-trick-in-sleight-of-hand.htm?utm_source=4
- Florian Kohler is a master of billiards trick shots with an almost magical quality:
http://www.flixxy.com/amazing-billiard-trick-shots-by-florian-kohler-2017.htm?utm_source=4
- An explanation of the various forms of government and political systems, and why America is not a democracy, but a republic:
http://www.flixxy.com/political-systems.htm?utm_source=4
- KnowBe4's Chief hacking Officer Kevin Mitnick explains how best to browse the internet anonymously using TOR in simple words. Perhaps good for your road-warriors?
https://youtu.be/l7KuljR3fJc
- "Don’t Become A Phishing Victim."" New 49-second "Public Service Announcement" video from KnowBe4 for your employees. Wait till the end!
https://vimeo.com/212158014
- Gravity Illusions On The Streets Of San Francisco:
http://www.flixxy.com/gravity-illusions-on-the-streets-of-san-francisco.htm?utm_source=4
- 10 fun tech ads through the years. Some of these will leave you rolling on the floor:
http://www.computerworld.com/article/3162104/computer-hardware/10-fun-tech-ads-through-the-years.html
- Breitling is now the main sponsor of the amazing flying machine that allows a man in an upright position to whizz through the air powered by jet engines:
http://www.flixxy.com/the-futuristic-flyboard-air.htm?utm_source=4
- Good News Dept: KnowBe4 Is Tampa Bay's No.1 Midsize Best Place To Work 2017:
https://blog.knowbe4.com/knowbe4-is-tampabays-no.1-midsize-best-place-to-work
- "Cousin Kevin Mitnick, entrepreneur". The background story of how KnowBe4 and Kevin Mitnick found each other at the CSO site. This is both interesting and fun:
http://www.csoonline.com/article/3187835/security/cousin-kevin-mitnick-entrepreneur.html#tk.twt_cso - From the archives: His immaculate timing, combined with his rapport with the audience, makes this performance very special:
http://www.flixxy.com/juggling-comedian-michael-davis.htm?utm_source=4
