CyberheistNews Vol 7 #16 Scam of the Week: It's Not a WhatsApp Voice Mail!

CyberheistNews Vol 7 #16 
Scam of the Week: It's Not a WhatsApp Voice Mail!

You probably know that the Eastern European cyber mafia does their beta testing in the U.K., before they "export" their criminal campaigns to America. Here is a heads-up of a social engineering phish that was spotted in Ireland, and that your users may receive in their inbox in the near future. Warn them ahead of time!

ESET Ireland warned: "A dangerous email spam message is dropping into Irish mailboxes, pretending to come from WhatsApp. Its subject says “Missed voicemail” and the content of the mail just says “New voicemessage” and has a link called “Play”.

Clicking on the link will begin the download of a trojan that ESET detects as “JS/Kryptik.BBC”, a variant of malware first detected in August 2016. JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages that usually redirects the browser to a malicious URL or implements a specific exploit and can cause ransomware and other malware infections."

I suggest you send the following to your employees, friends, and family. Feel free to copy, paste, and/or edit:

"Criminal hackers are constantly trying to trick people into clicking on links or open attachments they did not ask for. Their new "scam of the week" is to send you an email that looks like it comes from WhatsApp and claims it is a voice mail left for you. It's not.

Do not click on the "Play" button. If you do, your computer will get infected with malware which can cause your identity to get stolen, or all your (or the organization's) files held for ransom.

Here is a general safety rule: Instead of clicking a link in an unverified email claiming it’s from WhatsApp (or any other social media) log in to your WhatsApp account the standard way instead and check for any messages there. Remember: "When in doubt, throw it out!"

Blog post with screenshot here:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO,
KnowBe4, Inc.

Why Cerber Is the New King of Ransomware

During 2016, Ransomware exploded. It clearly became the biggest menace on the net, using phishing as it's No.1 infection vector.

Hundreds of ransomware strains competed for market dominance last year, but one was clearly dominant; Locky, costing victims over 1 billion dollars.

However, a recent report of our friends at Malwarebytes showed that Locky has fallen off the face of the earth in Q1 2017, making way for the Cerber strain to become the new king of ransomware.

Malwarebyte's new Cybercrime Tactics and Techniques Q1 2017 report shows Cerber has totally taken over "the market", accounting for 90 percent of Windows ransomware. Note that ransomware accounts for 60 percent of all malware attacks on Windows.

So why has Cerber become the Apex Predator?

The success of Cerber is down to its features (unbreakable encryption, offline encryption, etc.) combined with the adoption of a RaaS (Ransomware-as-a-Service) business model, where the malicious code can be modified or leased through an affiliate scheme. "It's also very easy for non-technical criminals to get their hands on a customized version of the ransomware," Malwarebytes reports.

Another factor contributing to the rise of Cerber is that those behind it are constantly upgrading it with new features and evasion techniques. Researchers at Trend Micro recently detailed how Cerber has gained the ability to evade detection by cybersecurity tools which use machine learning to identify threats.

The Cerber strain, like most ransomware, is mostly delivered by a phishing email. But rather than encouraging the victim to click on a link to download a file, these emails contain a link to Dropbox which downloads and self-extracts the Cerber payload which is a social engineering tactic that is harder to protect against.

The Locky strain which was last year's number one has dropped off the map due to a switch in tactics by the cyber gang behind the Necurs spam botnet. The Necurs network used to distribute Locky, went quiet, and suddenly surged back to life last month to distribute fake stock tips for 'pump and dump' scams.

Cerber is more difficult to stop than Locky

"We've already observed evolution in its distribution mechanisms and it is likely they will continue to do this to ensure that their malware can infect users effectively. It might also start instituting additional functionality like different files to target and increasing victim support capabilities," Adam Kujawa, lead malware intelligence analyst at Malwarebytes, said.

"However it's hard to predict the exact modifications Cerber will make, the only definite is that it's not going away," he added.

They ended off with: "We expect to see continued heavy distribution of Cerber through Q2 2017 due to new developments made to the malware design and its continued use of the ransomware as a service (RaaS) model."

At the moment, Cerber may be king of the hill, but if you look at the tumultuous history of ransomware, this won't last for too long. Either the Cerber mafia will withdraw on their own when the heat gets too much, or they will pivot to a new business model just like the Locky/Necurs gang just did. Third option: they'll get arrested like BitCryptor/CoinVault.

In any case, there will be another ransomware strain waiting in the wings to grab the No.1 slot, and at the moment it looks like Spora is the contender for the crown.

Better get ready and step your users through new-school security awareness training. Graphs and links to video at the KnowBe4 blog:
Inside the Tech Support Scam Ecosystem

Dennis Fisher at On The Wire reported on new research by three PhD candidates at Stony Brook University.

The study is the first of its kind and gives a fascinating inside look at how these schemes operate and the extent of the infrastructure that supports them. The researchers collected more than 25,000 domains used by various scammers and said that they don't see an end to these operations anytime soon.

Fisher wrote: "Fake tech support schemes have been a scourge on the Internet for years, with scammers using scare tactics and intimidation to goad victims into paying for worthless "computer repair" services. To find out how these scams work, who's running them, and how to defeat them, a team of researchers recently spent eight months gathering data and analyzing the scammers' tactics and techniques.

What the researchers from Stony Brook University found is an ecosystem comprising large, organized call centers staffed by trained workers, support by a system of malicious web ads and ad-supported URL shorteners that is all designed to push victims to call. The three doctoral candidates built a custom tool called RoboVic that collected data on the domains and phone numbers these scammers use, and then they actually called 60 separate scam numbers and spent a total of 22 hours interacting with the scammers.

“We discovered that scammers abuse popular remote administration tools (81% of scammers rely on two specific software products), to gain access to user machines where they then patiently attempt to convince users that they are infected with malware. We found that, on average, a scammer takes 17 minutes, using multiple social engineering techniques mostly based on misrepresenting OS messages, to convince users of their infections and then proceeds to request an average of 290.09 dollars for repairing the ‘infected’ machines,” the authors said in their paper.

“Technical support scam is a multi channel scam that benefits from both the telephony channel and web channel to spread and perform the attack and it makes it difficult to track it and take it down.” said study co-author Najmeh Miramirkhani, a PhD computer science student at Stony Brook." Here is the story:
7 Ways Hackers Target Your Employees

One employee under reconnaissance by cyberattackers can put your whole business at risk. Where are they being targeted, and what should they know?

Cybercriminals are testing the strength of your organization's defensive wall, looking for the one crack they need to launch their attacks. Oftentimes that flaw isn't a "what," but a "who."

Employees only need to download a bad attachment, click a malicious link, or give attackers one piece of information they need to break in. Security is a business-wide responsibility.

"Companies need to realize if their employees are picking up the phone and answering emails, they are making security decisions every day that can affect the company," says Michele Fincher, COO for Social-Engineer, Inc. "They don't realize how many good decisions employees need to make to be secure."

Good slide show at DarkReading:
First Quarter Top-Clicked Phishing Tests

KnowBe4 customers run millions of phishing tests per year. We report frequently on the top-clicked phishing topics so that our customers know what the highest-risk phishing templates are. That way they can inoculate their employees against the most prevalent social engineering attacks.

Fresh information from Osterman Research shows that over a 10-year time-span, since mid-2014, phishing has taken over from the Web and remains the No.1 network infection vector. The data was updated this week.

Here is a blog post with top-clicked phishing tests, broken out in non-social media and social media, including this week's Top 10 "In the Wild" phishing attacks that we received from our customers by employees clicking the Phish Alert Button and sending the email to us for analysis.

We "defang" these attacks and have them updated real-time in a campaign that customers can run regularly to test employees against the "real thing".

Here is the blog post with the lists, and updated 10-year infection-vector graph:
Live Webinar - CEO Fraud: The 2.3 Billion Dollar Mistake You Can’t Afford to Make

CEO fraud, also known as Business Email Compromise (BEC) has victimized more than 22,000 organizations and is responsible for over 2.3 billion dollars in losses. Despite these statistics, CEO fraud remains a blind spot for many C-level executives who quickly learn the consequences of a weak cyber-risk assessment.

Join Erich Kron CISSP, Technical Evangelist at KnowBe4 for a live webinar “CEO Fraud: The 2.3 Billion Dollar Mistake You Can’t Afford to Make”, on Wednesday, April 19, 2017, at 2:30 PM EDT.

We will look at scary features of new CEO fraud attacks, give actionable info that you need to prevent such attacks, and what to do if you become a victim.

Erich will cover these topics:
  • What is CEO fraud?
  • Latest attack vectors
  • Who’s at risk?
  • Resolution and restitution options
  • How to create a “human firewall”
Date: Wednesday, April 19, 2017. Time: 2:30 pm EDT. Register Now!
Quotes of the Week
"Peace is not an absence of war, it is a virtue, a state of mind, a disposition for benevolence, confidence, justice." - Spinoza - Philosopher (1632 – 1677)

"Peace cannot be kept by force; it can only be achieved by understanding."
- Albert Einstein - Physicist (1879 - 1955)

Thanks for reading CyberheistNews
Security News
Testing Backup Software: Anti-Ransomware Insurance

Now here is something interesting. We all know that having weapons-grade backup is a top necessity in the fight against ransomware. But which backup software is the best one in that respect? The AV-test site has done some new research.

They said: "Alongside virus protection, backup software still needs to be included in a well-designed security concept. And especially in times of ever more diabolical ransomware attacks, the new specialized data backup applications can help to save time, money and nerves.

The AV-TEST Institute put four new programs onto the test bench, however only one out of them received the certificate "Approved Backup & Data Security Software".

Their conclusion

"The test clearly demonstrates that useful malware protection ought to include the deployment of backup software. “Acronis True Image 2017 New Generation Premium” was the only backup solution in the test that was able to stop ransomware attacks.

That is why the programme, also delivering outstanding results in the test criterion of backup functionality, is being recognized by the AV-TEST Institute with the certificate "Approved Backup & Data Security Software“. The Acronis solution clearly supports users in defending their own PC system and vital data without requiring a whole lot of commitment. You can read more about the comprehensive security study of the test developed by the lab in this PDF file:"
Did You Know? There Is a Microsoft Support Emergency Response Tool

Have I been living under a rock? Just discovered the Microsoft Support Emergency Response Tool (they also call this thing the Microsoft Safety Scanner) which is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.

This beasty expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run the Microsoft Safety Scanner again. They note that it is not a replacement for using an antivirus software program that provides ongoing protection. You can get it here:
What Enterprises Can Learn in the Aftermath of a Phishing Attack

Spear phishing is a top attack vector used by cyber adversaries today, and consists of fraudulent emails that appear to be legitimate which target specific organizations, groups, or individuals to gain access to information systems.

Targeted spear phishing also leverages social engineering which includes research about specific targets of interest. Organizations rely on email connectivity with the outside to function and thus is an entry into a potential target’s environment that bypasses many of the legacy security stack.

Tychon’s Chief Technology Officer Travis Rosiek offers tips for enterprises on how to analyze former phishing attacks to improve defenses against future attacks, such as creating a database of captured phishing emails to learn tactics, who is being targeted and what information was used for social engineering.

Some excellent suggestions from Ryan Francis at CSO:
Other Interesting News Items This Week

We often run into articles that may be good ammo to support budget requests, but we cannot cover them all. Here are this week's possibly useful articles:

Prank Malware Forces Victims to Play Near-Impossible Game to Unlock Their Own Files:

Security Training Should Be Legal Requirement, Say Employees:

Cyber Attacks Knock Millions Off FTSE Share Prices:

Cradlecore: Ransomware Source Code for Sale:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • It's been a long time since Google was "just" a search engine. But for those who want to have a bit of fun with its search feature, you're in luck -- Google's developers have a sense of humor. To start, look at what happens when you enter the query, :

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Get the latest about social engineering

Subscribe to CyberheistNews