CyberheistNews Vol 7 #36
Scam of the Week: Equifax Phishing Attacks
You already know that a whopping 143 million Equifax records were compromised. The difference with this one is that a big-three credit bureau like Equifax tracks so much personal and sometimes confidential information like social security numbers, full names, addresses, birth dates, and even drivers licenses and credit card numbers for some.
It can be the difference between being able to buy a house or sometimes even get a job or not. This breach and the way they handled it, including the announcement, was what Brian Krebs rightfully called a dumpster fire.
The problem is that with this much personal information in the hands of the bad guys, highly targeted spear phishing attacks can be expected, and a variety of other related crime like full-on identity theft on a much larger scale.
These records are first going to be sold on the dark web to organized crime for premium prices, for immediate exploitation, sometimes by local gangs on the street. Shame on Equifax for this epic fail. They will be sued for billions of dollars for this web-app vulnerability.
So this Scam of the Week covers what is inevitable in the near future, we have not seen actual Equifax phishing attacks at this point yet, but you can expect them in the coming days and weeks because the bad guys are going to take their most efficient way to leverage this data... email.
I suggest you send the following to your employees, friends, and family. You're welcome to copy, paste, and/or edit:
"Cyber criminals have stolen 143 million credit records in the recent hacking scandal at big-three credit bureau Equifax. At this point you have to assume that the bad guys have highly personal information that they can use to trick you. You need to watch out for the following things:
It's only early days in this hack, there will be a lot more information coming out in the days ahead. We will keep you updated when more news is available.
Let's stay safe out there!
You already know that a whopping 143 million Equifax records were compromised. The difference with this one is that a big-three credit bureau like Equifax tracks so much personal and sometimes confidential information like social security numbers, full names, addresses, birth dates, and even drivers licenses and credit card numbers for some.
It can be the difference between being able to buy a house or sometimes even get a job or not. This breach and the way they handled it, including the announcement, was what Brian Krebs rightfully called a dumpster fire.
The problem is that with this much personal information in the hands of the bad guys, highly targeted spear phishing attacks can be expected, and a variety of other related crime like full-on identity theft on a much larger scale.
These records are first going to be sold on the dark web to organized crime for premium prices, for immediate exploitation, sometimes by local gangs on the street. Shame on Equifax for this epic fail. They will be sued for billions of dollars for this web-app vulnerability.
So this Scam of the Week covers what is inevitable in the near future, we have not seen actual Equifax phishing attacks at this point yet, but you can expect them in the coming days and weeks because the bad guys are going to take their most efficient way to leverage this data... email.
I suggest you send the following to your employees, friends, and family. You're welcome to copy, paste, and/or edit:
"Cyber criminals have stolen 143 million credit records in the recent hacking scandal at big-three credit bureau Equifax. At this point you have to assume that the bad guys have highly personal information that they can use to trick you. You need to watch out for the following things:
- Phishing emails that claim to be from Equifax where you can check if your data was compromised
- Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information
- Calls from scammers that claim they are from your bank or credit union
- Fraudulent charges on any credit card because your identity was stolen
- First sign up for credit monitoring (there are many companies providing that service including Equifax but we cannot recommend that)
- Next freeze your credit files at the three major credit bureaus Equifax, Experian and TransUnion. Remember that generally it is not possible to sign up for credit monitoring services after a freeze is in place. Advice for how to file a freeze is available here on a state-by-state basis: http://consumersunion.org/research/security-freeze/
- Check your credit reports via the free annualcreditreport.com
- Check your bank and credit card statements for any unauthorized activity
- If you believe you may have been the victim of identity theft, here is a site where you can learn more about how to protect yourself: www.idtheftcenter.org. You can also call the center’s toll-free number (888-400-5530) for advice on how to resolve identify-theft issues. All of the center’s services are free.
It's only early days in this hack, there will be a lot more information coming out in the days ahead. We will keep you updated when more news is available.
Let's stay safe out there!
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.
Which of Your Users' Credentials Are Part of a Known Data Breach?
And while we are on the topic of data breaches...would you like to know which of your users' credentials are part of a known data breach?
We have something super cool for everyone, customers and non-customers both, and there is no cost.
Many of the emails addresses and identities of your organization are exposed on the Internet and easy to find for cybercriminals. With that email attack surface, they can launch social engineering, spear phishing and ransomware attacks on your organization.
Our NEW Email Exposure Check Pro goes even further to identify the at-risk users in your organization by crawling business social media information and scouring hundreds of breach databases. This is done in two stages:
First Stage: Does deep web searches to find any publicly available organizational data. This will show you what your organizational structure looks like to an attacker, which they can use to craft targeted spear phishing attacks.
Second Stage: Finds any users that have had their account information exposed in any of several hundred breaches. These users are particularly at-risk because an attacker knows more about that user, up to and including their actual passwords!
Your EEC Pro Reports: We will email you back a summary report PDF of the number of exposed emails, identities and risk levels found. You will also get a link to the full detailed report of actual users found, including breach name and if a password was exposed.
This is so important that even if you already ran your one-time no-charge legacy EEC, you are eligible to try the new Pro version. Run your complimentary one-time Email Exposure Check Pro here. Results come back in a few minutes:
https://info.knowbe4.com/email-exposure-check-pro-chn
And while we are on the topic of data breaches...would you like to know which of your users' credentials are part of a known data breach?
We have something super cool for everyone, customers and non-customers both, and there is no cost.
Many of the emails addresses and identities of your organization are exposed on the Internet and easy to find for cybercriminals. With that email attack surface, they can launch social engineering, spear phishing and ransomware attacks on your organization.
Our NEW Email Exposure Check Pro goes even further to identify the at-risk users in your organization by crawling business social media information and scouring hundreds of breach databases. This is done in two stages:
First Stage: Does deep web searches to find any publicly available organizational data. This will show you what your organizational structure looks like to an attacker, which they can use to craft targeted spear phishing attacks.
Second Stage: Finds any users that have had their account information exposed in any of several hundred breaches. These users are particularly at-risk because an attacker knows more about that user, up to and including their actual passwords!
Your EEC Pro Reports: We will email you back a summary report PDF of the number of exposed emails, identities and risk levels found. You will also get a link to the full detailed report of actual users found, including breach name and if a password was exposed.
This is so important that even if you already ran your one-time no-charge legacy EEC, you are eligible to try the new Pro version. Run your complimentary one-time Email Exposure Check Pro here. Results come back in a few minutes:
https://info.knowbe4.com/email-exposure-check-pro-chn
Don’t Miss the September Live Demo: Simulated Phishing and Awareness Training
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, September 13, 2017, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
Register Now: https://attendee.gotowebinar.com/register/9049513244680662785
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Wednesday, September 13, 2017, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
- NEW, Customized Automated Security Awareness Program creates a fully mature training program in just a few minutes!
- Social Engineering Indicators patent-pending technology, turns every simulated phishing email into a tool IT can use to instantly train employees.
- Access to the world's largest library of awareness training content through our innovative Module Store.
- Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
- Reporting to watch your Phish-prone percentage drop, with great ROI.
Register Now: https://attendee.gotowebinar.com/register/9049513244680662785
Quotes of the Week
"I was obliged to be industrious. Whoever is equally industrious will succeed
equally well." - Johann Sebastian Bach - Composer (1685 - 1750)
"Football is like life - it requires perseverance, self-denial, hard work, sacrifice, dedication and respect for authority." - Vince Lombardi
Thanks for reading CyberheistNews
equally well." - Johann Sebastian Bach - Composer (1685 - 1750)
"Football is like life - it requires perseverance, self-denial, hard work, sacrifice, dedication and respect for authority." - Vince Lombardi
Thanks for reading CyberheistNews
Security News
NIST Develops Guidelines for Dealing With Ransomware Recovery.
The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) along with vendors and businesses within the cybersecurity community teamed up to develop a recovery guide for firms hit with ransomware attacks.
Researchers said the goal of the guide is to help organizations recover data from cybersecurity events, facilitate smooth recovery in the event of a compromise, and manage enterprise risks, according to the Data Integrity Recovering from Ransomware and Other Destructive Events report.
“Organizations must be able to quickly recover from a data integrity attack and trust that any recovered data is accurate, complete, and free of malware,” researchers said in the guide. “Data integrity attacks caused by unauthorized insertion, deletion, or modification of data have compromised corporate information including emails, employee records, financial records, and customer data.” More:
https://www.scmagazine.com/feds-release-guided-on-mitigating-ransomware-threats/article/687317/
The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) along with vendors and businesses within the cybersecurity community teamed up to develop a recovery guide for firms hit with ransomware attacks.
Researchers said the goal of the guide is to help organizations recover data from cybersecurity events, facilitate smooth recovery in the event of a compromise, and manage enterprise risks, according to the Data Integrity Recovering from Ransomware and Other Destructive Events report.
“Organizations must be able to quickly recover from a data integrity attack and trust that any recovered data is accurate, complete, and free of malware,” researchers said in the guide. “Data integrity attacks caused by unauthorized insertion, deletion, or modification of data have compromised corporate information including emails, employee records, financial records, and customer data.” More:
https://www.scmagazine.com/feds-release-guided-on-mitigating-ransomware-threats/article/687317/
SANS Announces September Issue of OUCH!
They said: "We are excited to announce the September issue of OUCH! This month, led by Guest Editor Chris Christianson, we explain Password Managers. Organizations and security professionals heavily promote that everyone should have a unique password for every account, but do little to explain HOW to store or memorize them all. Password managers are a simple and secure solution that enables people to store as many unique passwords, secret questions/answers and other sensitive information that they need. In addition, both NIST (SP800-63-3b) and the UK NCSC now promote the use of Password Managers. Share OUCH! with your family, friends, and coworkers."" English Version (PDF)
https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201709_en.pdf?utm_medium=Email&utm_source=Houselist+Ouch&utm_campaign=STH+Ouch!&utm_content=English+Version
They said: "We are excited to announce the September issue of OUCH! This month, led by Guest Editor Chris Christianson, we explain Password Managers. Organizations and security professionals heavily promote that everyone should have a unique password for every account, but do little to explain HOW to store or memorize them all. Password managers are a simple and secure solution that enables people to store as many unique passwords, secret questions/answers and other sensitive information that they need. In addition, both NIST (SP800-63-3b) and the UK NCSC now promote the use of Password Managers. Share OUCH! with your family, friends, and coworkers."" English Version (PDF)
https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201709_en.pdf?utm_medium=Email&utm_source=Houselist+Ouch&utm_campaign=STH+Ouch!&utm_content=English+Version
WIRED: "Hackers Gain Direct Access to US Power Grid Controls"
"IN AN ERA of hacker attacks on critical infrastructure, even a run-of-the-mill malware infection on an electric utility’s network is enough to raise alarm bells. But the latest collection of power grid penetrations went far deeper: Security firm Symantec is warning that a series of recent hacker attacks not only compromised energy companies in the US and Europe but also resulted in the intruders gaining hands-on access to power grid operations—enough control that they could have induced blackouts on American soil at will.
"Symantec on Wednesday revealed a new campaign of attacks by a group it is calling Dragonfly 2.0, which it says targeted dozens of energy companies in the spring and summer of this year. In more than 20 cases, Symantec says the hackers successfully gained access to the target companies’ networks. And at a handful of US power firms and at least one company in Turkey—none of which Symantec will name—their forensic analysis found that the hackers obtained what they call operational access: control of the interfaces power company engineers use to send actual commands to equipment like circuit breakers, giving them the ability to stop the flow of electricity into US homes and businesses.
“There’s a difference between being a step away from conducting sabotage and actually being in a position to conduct sabotage ... being able to flip the switch on power generation,” says Eric Chien, a Symantec security analyst. “We’re now talking about on-the-ground technical evidence this could happen in the US, and there’s nothing left standing in the way except the motivation of some actor out in the world.”" Story at WIRED:
https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power-systems/
NOTE that in America, business networks are physically disconnected from the SCADA systems that run the plants, so the penetration risks here are a lot less than in some other countries.
"IN AN ERA of hacker attacks on critical infrastructure, even a run-of-the-mill malware infection on an electric utility’s network is enough to raise alarm bells. But the latest collection of power grid penetrations went far deeper: Security firm Symantec is warning that a series of recent hacker attacks not only compromised energy companies in the US and Europe but also resulted in the intruders gaining hands-on access to power grid operations—enough control that they could have induced blackouts on American soil at will.
"Symantec on Wednesday revealed a new campaign of attacks by a group it is calling Dragonfly 2.0, which it says targeted dozens of energy companies in the spring and summer of this year. In more than 20 cases, Symantec says the hackers successfully gained access to the target companies’ networks. And at a handful of US power firms and at least one company in Turkey—none of which Symantec will name—their forensic analysis found that the hackers obtained what they call operational access: control of the interfaces power company engineers use to send actual commands to equipment like circuit breakers, giving them the ability to stop the flow of electricity into US homes and businesses.
“There’s a difference between being a step away from conducting sabotage and actually being in a position to conduct sabotage ... being able to flip the switch on power generation,” says Eric Chien, a Symantec security analyst. “We’re now talking about on-the-ground technical evidence this could happen in the US, and there’s nothing left standing in the way except the motivation of some actor out in the world.”" Story at WIRED:
https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power-systems/
NOTE that in America, business networks are physically disconnected from the SCADA systems that run the plants, so the penetration risks here are a lot less than in some other countries.
Interesting News Items This Week
The DNC’s Technology Chief Is Phishing His Staff. Good!:
https://www.wired.com/story/the-dncs-technology-chief-is-phishing-his-staff-good/
SANS: Ransomware is Biggest Threat to Data Security:
https://www.infosecurity-magazine.com/news/sans-ransomware-is-biggest-threat/
New ESET research uncovers Gazer, the stealthy backdoor that spies on embassies:
https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/
Hackers Targeting UK Uni’s For Medical, Missile And Scientific Data:
http://www.informationsecuritybuzz.com/expert-comments/hackers-targeting-uk-unis-mediacal-missile-scientific-data/
A different take on the ransom tactic. MongoDB Customers Held to Ransom Again:
https://www.infosecurity-magazine.com/news/mongodb-installations-held-to/
Inaudible ultrasound commands can be used to secretly control Siri, Alexa, and Google Now:
https://www.theverge.com/2017/9/7/16265906/ultrasound-hack-siri-alexa-google#comments
The DNC’s Technology Chief Is Phishing His Staff. Good!:
https://www.wired.com/story/the-dncs-technology-chief-is-phishing-his-staff-good/
SANS: Ransomware is Biggest Threat to Data Security:
https://www.infosecurity-magazine.com/news/sans-ransomware-is-biggest-threat/
New ESET research uncovers Gazer, the stealthy backdoor that spies on embassies:
https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/
Hackers Targeting UK Uni’s For Medical, Missile And Scientific Data:
http://www.informationsecuritybuzz.com/expert-comments/hackers-targeting-uk-unis-mediacal-missile-scientific-data/
A different take on the ransom tactic. MongoDB Customers Held to Ransom Again:
https://www.infosecurity-magazine.com/news/mongodb-installations-held-to/
Inaudible ultrasound commands can be used to secretly control Siri, Alexa, and Google Now:
https://www.theverge.com/2017/9/7/16265906/ultrasound-hack-siri-alexa-google#comments
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- 12 of the World's Most Stunning Public Staircases:
https://www.architecturaldigest.com/gallery/worlds-most-stunning-public-staircases
- Magician Eric Jones Amazes the judges and audiences of America's Got Talent 2017 with his incredible coin tricks:
http://www.flixxy.com/eric-jones-coin-magic-americas-got-talent-2017-semi-final.htm?utm_source=4
- Penn and Teller perform the 'ball and vase' magic trick inspired by Jimmy Fallon's Classroom Instruments series:
http://www.flixxy.com/backstage-magic-trick-by-penn-and-teller.htm?utm_source=4
- A funny lame comedy skit that clearly shows how man's universal weakness is not money:
http://www.flixxy.com/mans-greatest-weakness.htm?utm_source=4 - Ten amazing optical illusions: Rooftop, Color, Motion Binding, Crazy Wire, Duck-Rabbit, Silver Egg, Anamorphic, Water, Animated Optical:
http://www.flixxy.com/10-amazing-optical-illusions.htm?utm_source=4