CyberheistNews Vol 7 #41
Watch out for This New Hybrid Amazon Phishing/Phone Password Scam
So here’s a new one: a spoofed Amazon email claiming that Amazon has detected an unauthorized attempt to reset the password on the recipient’s account. A six digit code is provided along with instructions to call a phone number to “verify your identity.”
A number of users online have reported receiving this phish over the past month. Some have even called the provided phone number. They report their calls being answered by individuals speaking with a thick Indian accent who then attempt to direct them to a web site in order to input more information.
We have yet to find a user providing a detailed account of just where the scam web site is that people get redirected to, or what information is requested. Our guess at this point is that it’s either an elaborate credentials phish or the set up for a techsupport scam where the bad guys inform users that they must download a RAT (remote access trojan) to allow their personnel to “clean” users' PCs of malware.
Train your users to not fall for this new hybrid phishing scam that uses social engineering to manipulate them into allowing the bad guys into their workstation. Screen shot of this phish at the KnowBe4 Blog:
https://blog.knowbe4.com/watch-out-for-this-new-new-amazon-phishing/phone-password-scam
A New Spear Phishing Attack Uses Compromised Government Servers and DNS
Cisco's Talos malware researchers posted about a highly sophisticated, targeted spear phishing attack using malicious Word attachments, spoofed to look like it was from the U.S. Securities and Exchange Commission EDGAR filing system, and used DNS to create a bidirectional Command & Control channel.
The Word attachments contained SEC logos and branding, social engineering the user to believe that the emails were legit and click on prompts.
Using this channel, the attackers were able to abuse the Microsoft DDE protocol which allows dynamic data exchange between applications, and use the contents of DNS TXT record queries and the associated responses generated on the attacker-controlled DNS server. The targets included insurance, finance, and IT companies.
Cisco said: "We have since observed additional attacks leveraging this type of malware attempting to infect several target organizations. These attacks began with a targeted spear phishing email to initiate the malware infections and also leveraged compromised U.S. state government servers to host malicious code used in later stages of the malware infection chain.
Craig Williams, senior threat researcher and global outreach manager at Talos, told SC Media that Cisco's threat intelligence team first observed the SEC phishing campaign on October 10. In its report, Talos does not elaborate on which companies were specifically targeted by the phishing operation, other than to note that the intended victims were similar to those targeted in prior DNSMessenger campaigns.
"These attacks were highly targeted in nature, the use of obfuscation as well as the presence of a complex multi-stage infection process indicates that this is a sophisticated and highly motivated threat actor that is continuing to operate."
Earlier this year, researchers at SensePost determined that DDE could be essentially exploited to execute malicious code in Microsoft Word. Microsoft reportedly chose not to act on the findings, calling this functionality an intentional feature. However, SensePost noted in a blog post that Microsoft said it would consider reclassifying the feature as a bug in the next version of Windows.
Asked for comment, a Microsoft spokesperson offered the following statement: “This technique requires a user to disable Protected Mode and click through one or more additional prompts. We encourage customers to use caution when opening suspicious email attachments.” New-school security awareness training would be very helpful with that.
Opening the attachment would trigger a notification indicating that the document contains links to external files, and asking the user for permission to import and display this content. Agreeing to do so triggered the infection, as the document would use the Windows DDE protocol to retrieve malicious code from a compromised government website owned by the state of Louisiana.
"This attack shows the level of sophistication that is associated with threats facing organizations today," Talos notes in its blog post. "The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace."
Our comment: "Train those users!"
Can You Be Spoofed? Find out for a Chance to Win.
Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a "CEO fraud" spear phishing attack on your organization.
KnowBe4 can help you find out if this is the case with our complimentary Domain Spoof Test and enter you to win an awesome Nintendo Switch at the same time. Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless-steel lock-pick business card!
To enter just go here fill out the form, it's quick, easy and often a shocking discovery. Yep, it’s that easy:
https://info.knowbe4.com/dst-sweepstakes-102017
Scam of the Week: Las Vegas Shooting Victims Charity
And again—it is enough to make you nauseous—low-life scum on the internet are using a tragedy and try to scam money out of people that want to help the victims.
The Nevada Attorney General’s office is investigating reports of fake online charities collecting donations on behalf of victims that were killed or wounded at a shooting at a country music festival in Las Vegas Oct. 1. Officials are partnering with GoFundMe and other social media sites to take down these fraudulent pages.
There has been at least one Facebook page that has been shut down in light of the recent tragedy that was soliciting fraudulent donations. The Attorney General’s office is also aware of other complaints and pursuing those as well.
“There continue to be sham charities and websites seeking to profit from this horrific tragedy,” said Nevada Attorney General Adam Laxalt. “Complaints from local consumers continue to be the best source of information for our Bureau of Consumer Protection in investigating claims of misrepresentation.”
Steve Weisman wrote: "Scammers will call you, text you, email you or set up websites with the intent to steal your charitable donations. In the case of phony charity websites, they are sometimes set up to appear to be those of legitimate charities with which you may be familiar".
At the risk of sounding like a broken record, I suggest you send employees, friends and family an email about this Scam of the Week, feel free to copy/paste/edit:
"Heads-up! Bad guys are exploiting the Las Vegas shooting. There are fake Facebook pages, tweets are going out with fake charity websites, and phishing emails are sent out asking for donations to bogus Vegas Charities.
Don't fall for any scams. If you want to make a donation, you can go to http://www.charitynavigator.org before you consider giving to any charity. This free website will let you know if the charity is legitimate or a scam. It will also tell you how much of what it collects actually goes toward its charitable work and how much it spends on salaries and administration expenses.
Do not click on any links in emails or text you might get. Whatever you see in the coming weeks about Las Vegas disaster relief... THINK BEFORE YOU CLICK.
For KnowBe4 customers, we have a phishing template, in Current Events titled: "Fox Breaking News: ISIS Releases Video Claiming Responsibility for Las Vegas Shooting (Link)". Send this to your employees to inoculate them against disaster relief scams like this.
Webinar: Your Organization Through the Eyes of an Attacker
Attackers follow a number of paths as they search for entry-points into your organization. In this webinar, we'll show you easy ways to stalk and attack your organization to improve security.
Join Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4 and former Gartner Research Analyst, in this practical session providing a high-level overview of the theory/practices used, showing you how to simulate those same tactics using both free and subscription-based aspects of KnowBe4's platform.
Key topics covered in this 30-minute webinar:
- Understanding the attacker's workflow
- Selecting targets and entry points
- Promoting a culture of security awareness
- Creating your own 'Red Team' activities using KnowBe4 as part of penetration testing initiatives
Great for a lunch break. You can watch it Right Now!
https://info.knowbe4.com/webinar-your-organization-through-the-eyes-of-an-attacker
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.
Quotes of the Week
"Peace cannot be kept by force; it can only be achieved by understanding." - Albert Einstein
"When the power of love overcomes the love of power the world will know peace." - Jimi Hendrix
Thanks for reading CyberheistNews
Security News
Carbon Black Says Ransomware Kit Sales on the Dark Web Shoot up 2,502%
A new report from Carbon Black’s Threat Analysis Unit (TAU) used their data and modeling techniques to come up with an estimate of ransomware sales transactions activity on the Dark Web.
Criminal ransomware startups—“Ransompreneurs” if you will—can make over 100,000 dollars per year through sales of their source code along with offering advanced code tutoring, or they can just sell a kit which enables a newbie to quickly get into the business.
Based on their model they estimate, “In a comparison of 2016 to 2017, Carbon Black found that the Ransomware Marketplace has grown from 249,287.05 to 6,237,248.90 dollars, revealing a growth rate of 2,502%.”
These are growth rates worthy of an Inc. 500 company.
What do you get when you combine availability of do-it-yourself ransomware-as-a-service kits (RaaS), novice cybercrooks, cryptocurrency and anonymity tools? A market opportunity for newbies to cash in on the gravy train and make a quick, illegal bundle of Bitcoin by attacking businesses and/or end users.
It’s now easier than ever for Ransompreneurs to do their own thing. Some are even using the software affiliate model of distribution complete with affiliate transaction cuts down the chain.
Providing aspiring cybercrims with easy to deploy DIY ransomware solutions to collect ransom via Bitcoin spawned a rapidly growing but still relatively small illegal software cottage industry. Given the availability of tools and the tutoring effect of shared knowledge, the platform for RaaS enabled attackers has driven up the number of total Ransomware attacks.
According to Carbon Black's report: “The most notable innovations contributing to the proliferation and success of the dark web ransomware economy have been the emergence of Bitcoin for a ransom payment, and the anonymity network Tor, to mask illicit activities.
Bitcoin allows money to be transferred in a way that makes it nearly impossible for law enforcement to “follow the money.” Bank transfers and credit card transactions traditionally aid in the quick takedown of scams. Bitcoin means there’s no bank to identify the account holder.”
The TAU report noted: “Unlike many other forms of cyberattacks, ransomware can be quickly and brainlessly deployed with a high probability of profit.”
More background, 6 key findings, and a link to the full report (PDF) at the KnowBe4 blog:
https://blog.knowbe4.com/carbon-black-says-ransomware-kit-sales-on-the-dark-web-shoot-up-2502
Year-to-Date Data Breaches up 18.5%
Piper Jaffray keeps track of data breaches, and the picture does not look very good.
The Total Breaches YTD was up 18.5% - There have been 1,012 total reported breaches through the first nine months of 2017, which is up 18.5% from 2016. There has been one mega breach and 9 other large breaches YTD in 2017, which compares to one mega breach and 14 other large breaches YTD in 2016. The three largest breaches YTD exposed a total of 156.5 million records, with Equifax being the largest.
Total YTD Records Exposed Down vs 2016 - While the number of breaches is up in 2017, the total number of records stolen is down, primarily due to the mega-breach at Yahoo in September 2016. Year-to-date in 2017, 176.2 million records have been exposed, which is 67% below the total number of records exposed through the first nine months of 2016. However, excluding the mega-breaches at Yahoo and Equifax, the total number of records stolen is only down 7.7% year-over-year.
Find out How Vulnerable Your Network Is Against 3 NEW Ransomware Scenarios
We’ve added three new test scenarios to our Ransomware Simulator "RanSim", giving you a quick look at the effectiveness of your existing network protection against these additional nasty ransomware strains that are in the wild:
- CitroniVariant - A specific scenario designed to simulate the distinct file encryption activity of Critroni/CBT ransomware.
- Collaborator - An advanced scenario that spawns multiple processes to carry out encryption routines.
- VirlockVariant - One of the more complex scenarios, designed to simulate a variant Virlock that uses watchdog processes to keep encryption processes restarted.
RanSim will now simulate a total of 13 ransomware infection scenarios and show you if a workstation is vulnerable to infection.
Here's how RanSim works:
- 100% harmless simulation of a real ransomware infection
- Does not use any of your own files
- Tests 13 types of infection scenarios
- Just download the install and run it
- Results in a few minutes!
RanSim has been downloaded thousands of times and run against dozens of AV products. The results have been an eye-opening experience for many IT pros.
Download Your Complimentary Copy Of RanSim Now:
https://info.knowbe4.com/ransomware-simulator-tool-1chn
Phishing Emails That Invoke Fear, Urgency, Get the Most Clicks
DarkReading: "The most commonly clicked phishing emails include urgent calls to action, or exploit victims' desire for popularity. If an employee receives an email about a data breach, chances are they're going to click. If an "important" or "urgent" message arrives from human resources, they're going to want to know why. If an email warns their password is about to expire, they will investigate further to change it.
Hackers know this, which is why they have begun to prey on victims' sense of urgency in phishing attacks. The most effective phishing email subject lines include psychological triggers to get people to click, discovered security awareness firm KnowBe4 in a study of most-clicked phishing email subject lines for Q3 2017. After all, nobody wants to miss an important message from HR.
Sophisticated phishing emails are behind more than 90% of successful cyberattacks, said Mike Rogers, former chairman of the House Intelligence Committee, at the US Chamber of Commerce's cybersecurity summit. Phishing has increased potential to dramatically affect a business' economic loss.
"When you look at the top five items, four out of those five have words like 'expires,' 'immediately,' 'notification,'" says Greg Kras, KnowBe4's chief success officer. "They're all designed to get that sense of urgency. When people see that, they go into corrective action overflow where they're trying to address what they consider to be a problem." Full article:
https://www.darkreading.com/endpoint/phishing-emails-that-invoke-fear-urgency-get-the-most-clicks/d/d-id/1330100
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- This is how it looks when the "World's Most Famous Hacker" casually says:
"Come see me at the KnowBe4 booth after my Keynote" at the SpiceWorld show:
https://youtu.be/dfQQ2M233Gs
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.