CyberheistNews Vol 7 #21 Scam of the Week: Massive DocuSign Phishing Attacks



CyberheistNews Vol 7 #21
Scam of the Week: Massive DocuSign Phishing Attacks

DocuSign has admitted they were the victim of a data breach of customer email addresses only that has led to massive phishing attacks which used the exfiltrated DocuSign information. Ouch. So here is your Scam of the Week.

They discovered the data breach when on May 9, 15, and 17 DocuSign, customers were being targeted with phishing campaigns. They now are advising customers to filter or delete any emails with specific subject lines. We do not repeat them here, because this newsletter might be filtered out, but you can see them at the blog, together with screenshots:
https://blog.knowbe4.com/scam-of-the-week-docusign-phishing-attacks

The campaigns all have Word docs as attachments, and use social engineering to trick users into activating Word's macro feature which will download and install malware on the user's workstation. DocuSign warned that it is highly likely there will be more campaigns in the future.

I suggest you send the following to your employees. You're welcome to copy, paste, and/or edit:

"Hackers have stolen the customer email database of DocuSign, the company that allows companies to electronically sign documents. These criminals are now sending phishing emails that look exactly like the real DocuSign ones, but they try to trick you into opening an attached Word file and click to enable editing.

But if you do that, malware may be installed on your workstation. So if you get emails that look like they come from DocuSign and have an attachment, be very careful. If there is any doubt, pick up the phone and verify before you electronically sign any DocuSign email. Remember: Think Before You Click."

Let's stay safe out there.

Warm regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.

PS: If you are a KnowBe4 customer, inoculate your users against this right away. In your console, go to Phishing Email Templates > System Templates and type DocuSign in the search box. You will see a ready-made, 4-star rated template you could edit, and get a campaign out to all users in less than 2 minutes.
The New Ransom Target: Entertainment Files. Who Is the Next Phishing Victim?

Remember the James Bond movie Goldfinger? It was based on Ian Fleming's seventh novel, which first featured the timeless quote: "Once is happenstance, twice is coincidence, the third time it's enemy action". - Auric Goldfinger

First, a few months ago, very much under the radar, attackers used spoofed emails to impersonate an executive of Interscope Records, the record label owned by Universal Music Group.

This CEO fraud targeted two music-related businesses: September Management, and Cherrytree Music Company, and social engineered employees to send them Lady Gaga’s stem files — which are the files used by music engineers and producers for remixing and remastering.

Using tried-and-true tradecraft, the bad guys figured out that high-profile entertainment targets are supported by an ecosystem of softer targets which do not have the same resources and security technology. Remember that Target was hacked via their HVAC contractor?

Next, last month criminal hackers leaked unreleased episodes of “Orange Is the New Black” after they penetrated Larson Studios, one of Netflix' postproduction partners, and unsuccessfully tried to extort Netflix. They demanded a ransom of 30 bitcoins, now roughly 60,000 dollars.

A source from inside the industry told me that there are at least 50 other titles that have been exfiltrated, belonging to Larson’s other clients, including ABC, Fox, National Geographic and IFC.

Third, news broke that Disney got pwned and Pirates got pirated. Their CEO Bob Iger warned that hackers are holding the unreleased copy of “Pirates of the Caribbean” movie. The hackers are demanding a massive amount of ransom in Bitcoin and threaten to release the movie if their demands are not met.

No Intent to Pay

For now, for as far as we know, Hollywood studios have presented a united front and stated they have no intention of paying any ransom — assumed to be a business decision based on a risk assessment how much they might lose in revenue and viewers — despite a “handsome business proposal” by the hackers: Pay a ransom, or see files deleted, sold or published online.

So, Who Is Next?

Losing a movie file that cost 200 million to make is obviously a disaster, but a release through torrent still only reaches a small part of the net, and mostly people who might not cough up the money to see the movie in the first place.

But what of the crown jewels in your own organization? If those would be sold to the competition in China who then bring your product to market for 30% of your price, that would mean massive losses. This has been happening numerous times. And in most of the cases, it was done through spear phishing attacks using social engineering.

Your Employees Are Your Last Line of Defense

Bad guys go for the low-hanging fruit. If you want to spend less time putting out fires, get more time to be proactive, and get the things done you know need to be done, step employees through effective security awareness training.

It will help you prevent this kind of disaster or at least make it very hard for the bad guys to social engineer employees. Find out how affordable this is for your organization. Get a quote now:
https://info.knowbe4.com/kmsat_get_a_quote_now-chn
"The Best Cybersecurity Investment You Can Make Is Better Training"

The Harvard Business Review has an excellent article which is great ammo to get budget for new-school security awareness training. They started out with:

"As the scale and complexity of the cyber threat landscape is revealed, so too is the general lack of cybersecurity readiness in organizations, even those that spend hundreds of millions of dollars on state-of-the-art technology.

Investors who have flooded the cybersecurity market in search for the next software “unicorn” have yet to realize that when it comes to a risk as complex as this one, there is no panacea — certainly not one that depends on technology alone." [...]

"In short, there will be some investment required in enhancing personnel readiness. But it can be cost effective over time, particularly when compared to implementing cutting-edge cybersecurity technology that may become obsolete.

To be clear, technology is a critical piece of the cybersecurity puzzle, but just as with a car containing all the latest safety technology, the best defense remains a well-trained driver."

I suggest you send this link to your C-level execs:
https://hbr.org/2017/05/the-best-cybersecurity-investment-you-can-make-is-better-training
I Was Interviewed on NPR: "Ransomware — Should Businesses Pay Up?"

National Public Radio reported on ransomware and if you should pay or not after getting hit with a ransomware infection:

“Never, ever, ever give in to ransomware,” said Liviu Arsene, a threat analyst at BitDefender. “If you give in once, probably hackers will come in again and again, and try to extort money from you. Once there's blood in the water, definitely sharks will come.”

And no one wants sharks. That “don't pay up” advice is what you're going to hear from law enforcement. And it's advice that a lot of experts are going to give in a situation like Disney's: Don't negotiate with terrorists.

But Stu Sjouwerman, from the cybersecurity training firm KnowBe4, said when hackers have locked up your data, it's not always cut and dry. “It's a business decision,” Sjouwerman said. There's a fate — potentially worse — than those circling sharks.

“If you find that your backups failed, and you find that you've lost months of work, which would potentially even shut you down as an organization, it's a no-brainer to pay the ransom,” Sjouwerman said. “And many people do.”

At the top of the page, you can listen to the 2-minute segment:
https://www.marketplace.org/2017/05/16/business/hackers-are-holding-businesses-ransom-pay-or-not-pay-question
Live Webinar: Best Practices and Future Direction of Security Awareness Training

While reported numbers fluctuate from industry study to industry study, they all agree on one thing: cybercriminals are successfully and consistently exploiting human nature to accomplish their goals. Prudent security leaders know that security awareness and training is key to strengthening their ‘human firewall’ – but they often don’t know where to start.

Join security awareness expert Perry Carpenter, Chief Evangelist and Strategy Officer for KnowBe4 and former Gartner Research Analyst for this live webinar “Best Practices and Future Direction of Security Awareness Training”. We will discuss emerging industry trends and provide the actionable information you need to train your last line of defense, your employees.

Perry will cover these topics:

• Practical security awareness and behavior management tips
• Outline how and where tools are helpful
• Discuss emerging industry trends
•How to create a ‘human firewall’

Webinar Date/Time: Thursday, May 25, 2017, at 2:00 PM EDT
Register Now! https://register.gotowebinar.com/register/4096453053252124163

Not able to make that time? Grab this whitepaper instead:

Endpoint Protection Ransomware Effectiveness Report

It's estimated that in 2016, the cost of ransomware was over 1 Billion dollars, making it the most lucrative criminal business model in the history of malware. Every organization is at risk and with over 33% of businesses experiencing an attack in the past year, it's more important than ever to have adequate protection in place.

For this report, we surveyed businesses across all industries to find out what they're doing to defend themselves. We thoroughly examined who is at risk, what the scope and cost of an attack is, how organizations are protecting themselves from ransomware, and the effectiveness of their endpoint protection.

The results might surprise you! Download here:
https://info.knowbe4.com/endpoint-protection-ransomware-effectiveness
Quotes of the Week
"We can only see a short distance ahead, but we can see plenty there that needs to be done."
- Alan Turing

"The secret of getting ahead is getting started" - Mark Twain



Thanks for reading CyberheistNews
Security News
First Quarter 2017 Top-Clicked Phishing Tests [INFOGRAPHIC]

KnowBe4 customers run millions of phishing tests per year, and we report frequently on the top-clicked phishing topics so that our customers know what the highest-risk phishing templates are. That way they can inoculate their employees against the most prevalent social engineering attacks.

This InfoGraphic shows the most frequently clicked phishing emails from Q1 2017 broken down into 3 categories: subjects related to social media, general emails and 'In the Wild' attacks that we received from our customers by employees clicking the Phish Alert Button and sending the email to us for analysis:
https://blog.knowbe4.com/first-quarter-top-clicked-phishing-tests
Security Awareness Training Gets a Much-Needed Reboot

Great article at ThirdCertainty: "Using innovative strategies, some companies may be erasing employee security training’s reputation for ineffectiveness.

"Security training “got a bad rap, because it was so bad,” says Steve Conrad, the founder and managing director of MediaPro, a Bothell, Washington-based security awareness training company with such clients as Microsoft, Yahoo and Adobe."

"Stu Sjouwerman, founder and CEO of KnowBe4, a security awareness training company founded in 2010 and based in Clearwater, Florida, says 'old-school security training” often stems from “classical break-room sessions where employees are kept awake with coffee and doughnuts and exposed to death by PowerPoint.'" Full article:
http://thirdcertainty.com/featured-story/security-awareness-training-gets-much-needed-reboot/
Using Employees as Breach Detectors

Excellent article at InfoSecurity Magazine by Jeremy Bergsman. Here is a snippet and I suggest you read the rest, this is great ammo:

"Hackers routinely target employees to achieve their nefarious ends. Research from CEB, now part of Gartner, found that employee mistakes—such as falling for phishing attacks or reusing passwords across sites—cause half of breaches.

Because of this, training employees to reduce mistakes is a staple of every security program. In fact, the average large company has increased spend on awareness by 50% in just the last two years.

At the same time as awareness training has increased, security teams have expanded their objectives beyond just preventing breaches to be reliably detecting and responding to them. In response to that expansion, the most progressive CISOs are training employees differently.

Where conventional awareness programs seek to reduce employee mistakes, these CISOs seek to enlist employees as part of information security’s machinery to detect breaches by watching for suspicious activity and reporting it to security.

Research shows that employees are already doing this. According to the 2014 Verizon Data Breach Report: “…over the years we’ve done this research, users have discovered more breaches than any other internal process or technology.” Another survey of CISOs by CEB, now part of Gartner, found that two-thirds agreed with this observation. However, given that almost all advanced attacks still begin with a phishing email, employees need help to detect breaches more consistently.

There are four things CISOs must do to help employees become better breach detectors."" Here they are:
https://www.infosecurity-magazine.com/opinions/using-employees-breach-detectors/
Reuters: "Companies Use Kidnap Insurance to Guard Against Ransomware Attacks"

Companies without cyber insurance are dusting off policies covering kidnap, ransom and extortion in the world's political hotspots to recoup losses caused by ransomware viruses such as "WannaCry", insurers say.

Cyber insurance can be expensive to buy and is not widely used outside the United States, with one insurer previously describing the cost as 100,000 dollars for 10 million dollars in data breach insurance.

Some companies do not even consider it because they do not think they are targets.

The kidnap policies, known as K&R coverage, are typically used by multinational companies looking to protect their staff in areas where violence related to oil and mining operations is common, such as parts of Africa and Latin America.

Companies could also tap them to cover losses following the WannaCry attack, which used malicious software, known as ransomware, to lock up more than 200,000 computers in more than 150 countries, and demand payments to release them.

Pay-outs on K&R for ransomware attacks may be lower and the policies less suitable than those offered by traditional cyber insurance, insurers say. More:
http://www.reuters.com/article/us-cyber-attack-insurance-idUSKCN18F1LU
GDPR Compliance Requires Awareness Training

We attended a GDPR symposium last week, and one of the takeaways is that it requires awareness training and in particular a focus on privacy awareness. In addition to the training requirements, there are mandatory requirements for compliance monitoring, tracking and reporting:

"A little more than a year out from its effective date of May 25, 2018, the General Data Protection Regulation (GDPR) is undoubtedly on the minds of many of privacy professionals whose organizations handle the data of EU citizens.

In a nutshell, the GDPR is designed to strengthen and unify data protection for individuals within the European Union (EU). Perhaps more significantly, it also addresses the export of EU citizens’ personal data outside the EU.

This means both Eurozone companies and those based in the U.S., for example, will have to comply with the regulation. And the regulation has teeth: fines for non-compliance can add up to 22 million dollars or 4% of a company’s global annual revenue, whichever is greater."

Below is a good link referencing the training requirement in GDPR:
https://www.helpnetsecurity.com/2017/05/15/privacy-awareness-checklist/

But How Do You Keep Track of These Hundreds of GDPR Controls?

Here is a great way to get through audits in half the time and at half the cost. The KnowBe4 Compliance Manager (KCM) simplifies the complexity of getting compliant and eases your burden of staying compliant year round:
  • Quick Implementation with Compliance Templates - Pre-built requirements templates for the most widely used regulations like GDPR
  • Enable Users to Get the Job Done - You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Dashboards with Automated Reminders - Quickly see what tasks have been completed, not met, and past due. With automated email reminders, your users can stay ahead of any gaps in compliance.
20K Per Year for KCM or 20Mil in Fines?

See for yourself how you can minimize the busy work associated with audits and GDPR compliance, and how easy this becomes using KCM. Request a demo:
https://www.knowbe4.com/demo_kcm
FIN7 Hackers Change Phishing Techniques

"A recently uncovered threat group referred to as FIN7 has adopted new phishing techniques and is now using hidden shortcut files (LNK files) to compromise targets, FireEye security researchers reveal.

The financially-motivated threat group has been active since late 2015 and was recently found to have been targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations with a new PowerShell backdoor dubbed POWERSOURCE.

While some security firms refer to the operation as the Russian “Carbanak Group,” FireEye says that not all CARBANAK backdoor activity can be attributed to FIN7. Interestingly, the group’s recent fileless attacks were said last month to have been launched from an attack framework used in various other seemingly unrelated attacks as well." More:
http://www.securityweek.com/fin7-hackers-change-phishing-techniques
Other Interesting News Items This Week

The Fundamental Flaw in TCP/IP: Connecting Everything:
http://www.darkreading.com/endpoint/the-fundamental-flaw-in-tcp-ip-connecting-everything/a/d-id/1328864

Number of HTTPS phishing sites triples:
https://www.helpnetsecurity.com/2017/05/19/number-https-phishing-sites-triples/

RSA: Quarter of UK Consumers Boycott Breached Firms:
https://www.infosecurity-magazine.com/news/rsa-quarter-of-uk-consumers/

WannaCry ransomware infected Bayer U.S. medical devices:
http://www.fiercebiotech.com/medtech/wannacry-ransomware-infected-bayer-u-s-medical-devices

Work in a Bank or Credit union? CBANC Peer Reviews of KnowBe4:
https://blog.knowbe4.com/cbank-review-of-knowbe4
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews