CyberheistNews Vol 7 #27 Scam of the Week: Phishing Moves to Smishing / and More News




CyberheistNews Vol 7 #27
Scam of the Week: Phishing Moves to Smishing / and More News

Internet bad guys are increasingly trying to circumvent your spam filters and instead are targeting your users directly through their smartphone with smishing attacks, which are hard to stop.

The practice has been around for a few years, but current new scams are mystery shopping invitations that start with a text, social engineering the victim to send an email to the scammers, and then get roped into a shopping fraud.

These types of smishing attacks are also more and more used for identity theft, bank account take-overs, or pressure employees into giving out personal or company confidential information. Fortune magazine has a new article about this, and they lead with a video made by USA Today which is great to send to your users as a reminder. An Australian researcher also just published data to suggest cybercriminals are getting better results using the phone these days.

I suggest you send employees, friends and family an email about this Scam of the Week, your welcome to copy/paste/edit:

"Bad guys are increasingly targeting you through your smartphone. They send texts that trick you into doing something against your own best interests. At the moment, there is a mystery shopping scam going on, starting out with a text invitation, asking you to send an email for more info which then gets you roped into the scam.

Always, when you get a text, remember to "Think Before You Tap", because more and more, texts are being used for identity theft, bank account take-overs and to pressure you into giving out personal or company confidential information. Here is a short video made by USA Today that shows how this works: https://www.youtube.com/watch?v=ffck9C4vqEM

Obviously, an end-user who was trained to spot social engineering red flags (PDF) would think twice before falling for these scams. The link goes to a complimentary job aid that you can print out and pin to your wall. Your welcome to distribute this PDF to as many people as you can.
https://cdn2.hubspot.net/hubfs/241394/Knowbe4-May2015-PDF/SocialEngineeringRedFlags.pdf?

Let's stay safe out there,

Warm regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.
Got "Russia = BadGuys" Fatigue Yet? They Just Phished a Nuclear Site

A report from the FBI and the US Department of Homeland Security warns of malware attacks targeting mainly nuclear power stations and energy facilities. The attacks started in May of this year.

These attacks are getting an amber rating, the second highest level, and this far look like "credential spear phishing" attacks trying to get to map infiltrated networks. The attackers targeted employees at the organizations through phony resumes with embedded malware and watering hole attacks.

Bloomberg reported that: "The chief suspect is Russia, according to three people familiar with the continuing effort to eject the hackers from the computer networks. One of those networks belongs to an aging nuclear generating facility known as Wolf Creek -- owned by Westar Energy Inc., Great Plains Energy Inc. and Kansas Electric Power Cooperative Inc. -- on a lake shore near Burlington, Kansas. More and links at the KnowBe4 Blog:
https://blog.knowbe4.com/russians-are-suspects-in-phishing-attacks-involving-u.s.-nuclear-site
UN Report Shows the Whole World Needs a Cybersecurity Upgrade. Oh, Really...

Joseph Steinberg at Inc. Mag wrote: "A UN report released this week shows that despite global awareness of the proliferation of cybercrime and cyber-spying, many nations - including some of the world's most developed - suffer from severe deficiencies when it comes to cybersecurity.

Furthermore, the study shows, there is a huge range of preparedness when it comes to the cybersecurity capabilities of the world's most powerful nations."

I'm not blaming Steinberg who is a great writer, but pleeez, UN, tell me something new? Why on earth would the UN cover something that is so blindingly clear that a 5-year old could come to that conclusion?

Inc, continued: "The Global Cybersecurity Index was drafted after analysts examined the cyber-defense capabilities of 134 countries, focusing on five important criteria - technical, organizational, legal, cooperation and growth potential - and ranking nations based on a combination of those factors. Singapore - a nation skilled at leveraging technological innovations created by others - edged out the United States for the top spot. Despite any expectations to the contrary, countries like Malaysia, Oman, and Estonia also easily beat countries like Canada, Russia, Germany, India, and Israel."

Looking over the actual results of the United Nations in the last 50 years, it generally is entirely ineffective and a waste of money and time. Only a few of their units do great work, the rest is mired in corruption and red tape.

If you have nothing to do on a rainy Sunday afternoon and are bored out of your skull, the full UN report is available online. :-)
http://www.itu.int/en/ITU-D/Cybersecurity/Pages/GCI-2017.aspx
Cleveland Medical Associates Ransomware Infection Caused 22K-Record Databreach - How to Prevent This

Cleveland Medical Associates is offering about 22,000 patients identity protection services after a ransomware attack against the practice. The practice is offering a year of protective services through Equifax to both current and former patients whose information may have been affected.

The breach was discovered the morning of April 17. “We were unable to determine with reasonable certainty whether or not there was an unauthorized access of your information. However, we are providing you with notification of this incident.” they told patients in a notification letter.

Protected health information that could have been compromised includes patient names, addresses, demographics, telephone numbers, email addresses, clinical information, insurance billings and Social Security numbers.

Are Ransomware Infections Considered a Data Breach?

Regulators are starting to lean that way, especially in healthcare. HIPAA violations include unauthorized access to protected health information and the case is argued that a ransomware infection qualifies as such. This issue is making its way through both the courts and regulative process and I expect sooner rather than later that a consensus will be reached that an infection does indeed constitute a data breach and should result in a breach notification.

The Two Steps How to Prevent This

Based on the most recent compilation of HIPAA audits done by the Office for Civil Rights (ORC), an organization within the U.S. Department of Health & Human Services, OCR found that lack of privacy and security awareness training led to the highest number of audit findings. Not having formal policies and procedures in place for protection of PHI as well as general lack of understanding of HIPAA requirements were the next most common occurrences of findings.

One: Not having proper security awareness training can lead to an untrained user clicking a link within an email and causing a ransomware infection. Breaches lead to increased audit scrutiny and without an understanding of the HIPAA requirements and incomplete policies there could be fine increases. Step all users through short, interactive training modules and then test them with frequent simulated phishing attacks.

Two: The KnowBe4 Compliance Manager (KCM) can help with understanding what requirements need to be satisfied and gives you a platform for being able to demonstrate compliance with those requirements. KCM helps you to get compliant and more importantly stay compliant year-round. Does this compliance curve look familiar?
https://www.knowbe4.com/hs-fs/hub/241394/file-569662386.jpg

Available as a Trial Account

You can test KCM for yourself using one of the KnowBe4 pre-built compliance requirements templates listed below. Request a demo and get a walk-through of KCM to get started.

Available Compliance Requirements Templates

The following are a list of the currently available pre-build compliance requirements templates offered for KCM. If a regulation you need is not listed below you can simply build your own using our custom templates feature:
  • PCI-DSS
  • HIPAA
  • ISO 27001
  • NIST SP800-53
  • NIST Cyber Security Framework
  • FFIEC Cybersecurity Assessment Tool
  • CIS Critical Security Controls
  • COSO Fundamentals
  • ACCSC Accreditation
  • NIST SP800-171 Protecting Controlled Unclassified Information
  • SEC OCIE Cybersecurity Examination Initiative
  • AICPA SSAE16 SOC 2 Trust Services Principles with Privacy
  • Cloud Security Alliance - Cloud Controls Matrix 3
  • New York State - Department of Financial Services - 23 NYCCR 500 Cybersecurity Requirements
  • FDA 21 CFR Part 11 Requirements for Electronic Records
See how you can get through an audit in half the time and half the cost: Request a Demo: https://www.knowbe4.com/demo_kcm
Don’t Miss the July Live Demo: New-School Security Awareness Training

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, July 12, 2017, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
  • Social Engineering Indicators patented technology, turns every simulated phishing email into a tool IT can use to instantly train employees.
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Active Directory Integration allows you to easily upload, sync and manage users, set-it-and-forget-it.
  • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 11,000+ organizations have mobilized their end-users as their last line of defense. Register Now:
https://attendee.gotowebinar.com/register/8809289744464830722

Warm Regards,
Stu Sjouwerman

Quotes of the Week
"We can easily forgive a child who is afraid of the dark; the real tragedy of life is when men are afraid
of the light."
- Plato - Philosopher

"Let the refining and improving of your own life keep you so busy that you have little time
to criticize others."
- H. Jackson Brown, Jr. - Author



Thanks for reading CyberheistNews
Security News
Can Frequent Security Training Help Thwart "As-A-Service" Attacks?

Nicole Henderson at WindowsITPro wrote: "The on-demand economy has made life a lot more convenient. But it’s also made it a lot more convenient for the wrong people, take cybercriminals for example, who are able to buy phishing attacks as a service with nothing more than a Bitcoin wallet.

Cybercriminals are rapidly developing services that they sell on the dark web, or what KnowBe4 CEO Stu Sjouwerman calls “services by criminals for criminals.”

In recent years, cybercriminals have developed platforms where “every wannabe cyber crim[sic] can just go to that website, pay a fraction of a Bitcoin, and send out a phishing campaign in a few hours instead of having to do all of this stuff themselves,” Sjouwerman said. So not only are phishing attacks and ransomware becoming more sophisticated, but they are also becoming much more accessible, making a dangerous combination for ill-prepared organizations. Full article:
http://windowsitpro.com/security/can-frequent-security-training-help-thwart-service-attacks
Cyberattack Forces Hospital to Scrap Computers

Princeton Community Hospital in rural West Virginia will scrap and replace its entire computer network after being struck by the cyberattack paralyzing computers globally.

The cyberattack, known as Petya, froze the hospital’s electronic medical record system early Tuesday, leaving doctors unable to review patients’ medical history or transmit laboratory and pharmacy orders, said Rose Morgan, the hospital’s vice president of patient care services.

Officials were unable to restore services, and found there was no way to pay a ransom for the return of their system. So, after consulting with the Federal Bureau of Investigation and cybersecurity experts, officials made the decision to replace the system. Full article at Wall Street Journal (note: there is a paywall)
https://www.wsj.com/article_email/cyberattack-forces-west-virginia-hospital-to-scrap-its-computer-systems-1498769889-lMyQjAxMTE3OTM2MDkzNjAzWj/
Palo Alto Networks: Evolving Ransomware Is the Biggest Cyber Security Threat

INTERVIEW: Silicon talks cyber security threats with Aaron Miller, senior technologist at Palo Alto Networks.

Cybersecurity is a typically one of the fastest moving areas of the technology world, with zero-days cropping up on a highly regular basis and old malware resurfacing in a refreshed form, poised to wreak havoc on seemingly protected networks.

Unfortunately, that situation is not likely to change anytime soon, according to Aaron Miller, senior technologist at Palo Alto Networks.

At Silicon’s stand at Infosecurity 2017, Miller echoed the general trend of ransomware retaining its position at the top the malware threat pile.

“I think it would be remiss to not mention WannaCry,” said Miller, referencing the ransomware attack that spread voraciously across many systems worldwide.

“Ransomware is very prevalent; we’re seeing different iterations of ransomware hitting the marketplace.” Full article at:
http://www.silicon.co.uk/security/ransomware-palo-alto-networks-216505?inf_by=593e3e01671db8a87c8b4a3a
SANS July Issue of OUCH!

They said: "We are excited to announce the July issue of OUCH! This month, led by Guest Editor Steve Armstrong, we focus on Gaming Online Safely and Securely. Online gaming is a fun and great way to meet and play with others. However it comes with its own set of risks, especially for kids. Learn how to securely and safely game online, to include advice for children. Share OUCH! with your family, friends, and coworkers.
https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201707_en.pdf English Version (PDF)
Can You Be Spoofed? Find out for a Chance to Win.

Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a "CEO fraud" spear phishing attack on your organization.

KnowBe4 can help you find out if this is the case with our complimentary Domain Spoof Test and enter you to win an awesome Stormtrooper Helmet Prop Replica at the same time.

Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless steel lock-pick business card!

To enter just go here fill out the form, it's quick, easy and often a shocking discovery. Yep, it’s that easy.
https://info.knowbe4.com/dst-sweepstakes-062017
Interesting News Items This Week

Ransomware Attack Affects 500,000 Patients:
http://www.bankinfosecurity.com/ransomware-attack-affects-500000-patients-a-10057

Phishing and Social Engineering Cause Over Half of All Cyber Incidents:
https://www.infosecurity-magazine.com/news/phishing-and-social-engineering/

Cyber Attacks Have Long-Lasting Business Impact: Lloyd’s of London:
http://www.oann.com/cyber-attacks-have-long-lasting-business-impact-lloyds-of-london/

Classic Ether Wallet Compromised Via Social Engineering:
https://threatpost.com/classic-ether-wallet-compromised-via-social-engineering/126657/

Breached Bitcoin Bithumb Bosses Blame Bod's BYOD “Humans Still The Weakest Link”:
http://www.theregister.co.uk/2017/07/06/bithumb_hack/

SMBs need to fortify their ‘human firewall’ with cybersecurity training:
http://thirdcertainty.com/infographics/smbs-need-to-fortify-their-human-firewall-with-cybersecurity-training/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews