CyberheistNews Vol 7 #46
Scam of the Week: Warn Your Users About Uber Phishing Attacks 
Uber Total Loss: 57 million records stolen but data breach was hidden for a year.
Oh boy. Uber is known for pushing the limits of the law and has dozens of lawsuits pending against it, but this one went too far and now comes the reckoning.
Bloomberg was first to report that hackers stole the personal data of 57 million customers and drivers from Uber, a massive breach that the company concealed for more than a year. Finally, this week, they fired their chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a 100,000 dollar payment to the attackers to "delete the data".
They tried to get away with the incident by calling it a "bug bounty reward" and swipe it under the floor mats that way. Yeah, sure!
Here is the write-up, the sordid details, and a ready to copy/paste/edit blurb you can email to your users, friends and family first thing today:
https://blog.knowbe4.com/uber-total-loss-57-million-records-stolen-but-data-breach-was-hidden-for-a-year
Uber Total Loss: 57 million records stolen but data breach was hidden for a year.
Oh boy. Uber is known for pushing the limits of the law and has dozens of lawsuits pending against it, but this one went too far and now comes the reckoning.
Bloomberg was first to report that hackers stole the personal data of 57 million customers and drivers from Uber, a massive breach that the company concealed for more than a year. Finally, this week, they fired their chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a 100,000 dollar payment to the attackers to "delete the data".
They tried to get away with the incident by calling it a "bug bounty reward" and swipe it under the floor mats that way. Yeah, sure!
Here is the write-up, the sordid details, and a ready to copy/paste/edit blurb you can email to your users, friends and family first thing today:
https://blog.knowbe4.com/uber-total-loss-57-million-records-stolen-but-data-breach-was-hidden-for-a-year
Fake Symantec Blog Spreads the Macos Proton Malware
Sunday night, a series of tweets from security researcher @noarfromspace revealed a new variant of the OSX.Proton malware, spreading in a concerning new method: spoofing security company Symantec’s blog.
The malware is being promoted via a fake Symantec blog site at symantecblog[dot]com. The site is a good imitation of the real Symantec blog, even mirroring the same content. The registration information for the domain appears, on first glance, to be legitimate, using the same name and address as the legitimate Symantec site. The email address used to register the domain is a dead giveaway, however.
The bad guys have made up a completely fictitious product: The Symantec Malware Detector and use social engineering to trick the user into installing it. Train those users to not fall for social engineering tactics like that. More at Malwarebytes:
https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/
Sunday night, a series of tweets from security researcher @noarfromspace revealed a new variant of the OSX.Proton malware, spreading in a concerning new method: spoofing security company Symantec’s blog.
The malware is being promoted via a fake Symantec blog site at symantecblog[dot]com. The site is a good imitation of the real Symantec blog, even mirroring the same content. The registration information for the domain appears, on first glance, to be legitimate, using the same name and address as the legitimate Symantec site. The email address used to register the domain is a dead giveaway, however.
The bad guys have made up a completely fictitious product: The Symantec Malware Detector and use social engineering to trick the user into installing it. Train those users to not fall for social engineering tactics like that. More at Malwarebytes:
https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/
Massive Phishing Attack on Businesses With Evil New Ransomware Strain
The Scarab ransomware strain is updated again and spreads via Necurs botnet in a massive 12.5 million campaign, mostly targeting .com domains.
Scarab was spotted June 2017 for the first time, appending the .scarab file extension to the files. Later it was updated and started using .scorpio suffix to make files inaccessible.
The current campaign is spreading a third updated version of the ransomware which in order to prevent users from using third-party recovery tools, deletes Shadow Volume Copies and other default Windows recovery features.
Although this cybercrime gang is smaller, they are pros in social engineering and know the successful tactics to manipulate people into opening a malicious attachment. Currently, Scarab’s payload is included into the emails with fake images of scanned documents and have subject lines lines like:
https://blog.knowbe4.com/massive-phishing-attack-on-businesses-with-evil-new-ransomware-strain
The Scarab ransomware strain is updated again and spreads via Necurs botnet in a massive 12.5 million campaign, mostly targeting .com domains.
Scarab was spotted June 2017 for the first time, appending the .scarab file extension to the files. Later it was updated and started using .scorpio suffix to make files inaccessible.
The current campaign is spreading a third updated version of the ransomware which in order to prevent users from using third-party recovery tools, deletes Shadow Volume Copies and other default Windows recovery features.
Although this cybercrime gang is smaller, they are pros in social engineering and know the successful tactics to manipulate people into opening a malicious attachment. Currently, Scarab’s payload is included into the emails with fake images of scanned documents and have subject lines lines like:
- Scanned from Lexmark,
- Scanned from Epson,
- Scanned from HP,
- Scanned from Canon.
https://blog.knowbe4.com/massive-phishing-attack-on-businesses-with-evil-new-ransomware-strain
Don’t Miss the December Live Demo: Simulated Phishing and Awareness Training
Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Thursday, December 7, 2017, at 2:00 p.m. (EST) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
Register Now: https://attendee.gotowebinar.com/register/5507624554703389187?source=CHN
Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Thursday, December 7, 2017, at 2:00 p.m. (EST) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
- NEW see our latest feature: Security Roles with granular permissions
- NEW Smart Groups puts your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting.
- Customized Automated Security Awareness Program creates a fully mature training program in just a few minutes!
- Access to the world's largest library of awareness training content through our innovative Module Store.
- Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
- Reporting to watch your Phish-prone percentage drop, with great ROI.
Register Now: https://attendee.gotowebinar.com/register/5507624554703389187?source=CHN
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.
Quotes of the Week
"Always try to do something for the other fellow and you will be agreeably surprised how things come your way - how many pleasing things are done for you." - Claude M. Bristol - Writer (1891 - 1951)
"Gratitude is the sign of noble souls." - Aesop - Author (620 - 560 BC)
Thanks for reading CyberheistNews
"Gratitude is the sign of noble souls." - Aesop - Author (620 - 560 BC)
Thanks for reading CyberheistNews
Security News
qkG Ransomware Encrypts Only Word Documents, Hides and Spreads via Macros
Security researchers have discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.
The good news is that this ransomware is still under development and has not made any victims in the real world just yet. Trend Micro security researcher Horejsi spotted qkG at the start of the month in the mountain of suspicious files uploaded to Google's VirusTotal file scanner each day.
How qkG works
qkG is an oddity on the ransomware scene because it works very differently from similar threats. A typical qkG infection goes through the following steps:
Step 1: User downloads and opens infected Word document.
Step 2: User clicks "Enable Editing" button which allows the execution of macro scripts, which in this case is VBA code attached to the document. qkG is entirely contained within the macro script, an oddity, since most ransomware threats only use macros to download and run their main binary.
Step 3: The qkG code runs, but nothing happens. This is because qkG uses the onClose function to execute the malicious part of the macro code (the actual qkG ransomware) when the user closes the Word file.
The qkG author might have gotten inspiration from a Locky campaign that took place over the summer that also used the onClose function inside Word macro scripts to download and run the Locky ransomware. More:
https://www.bleepingcomputer.com/news/security/qkg-ransomware-encrypts-only-word-documents-hides-and-spreads-via-macros/
Security researchers have discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.
The good news is that this ransomware is still under development and has not made any victims in the real world just yet. Trend Micro security researcher Horejsi spotted qkG at the start of the month in the mountain of suspicious files uploaded to Google's VirusTotal file scanner each day.
How qkG works
qkG is an oddity on the ransomware scene because it works very differently from similar threats. A typical qkG infection goes through the following steps:
Step 1: User downloads and opens infected Word document.
Step 2: User clicks "Enable Editing" button which allows the execution of macro scripts, which in this case is VBA code attached to the document. qkG is entirely contained within the macro script, an oddity, since most ransomware threats only use macros to download and run their main binary.
Step 3: The qkG code runs, but nothing happens. This is because qkG uses the onClose function to execute the malicious part of the macro code (the actual qkG ransomware) when the user closes the Word file.
The qkG author might have gotten inspiration from a Locky campaign that took place over the summer that also used the onClose function inside Word macro scripts to download and run the Locky ransomware. More:
https://www.bleepingcomputer.com/news/security/qkg-ransomware-encrypts-only-word-documents-hides-and-spreads-via-macros/
Drive-By Phishing Scams Race Toward Uber Users
Matt Schwartz at BankInfoSecurity had the best write-up. He started with: "Social Engineering the Masses: Ready, Set, Go"
"Indeed, hardly any time elapsed after Uber came clean Tuesday about the year-old breach it had concealed before crack teams of social engineers unleashed appropriately themed phishing messages designed to bamboozle the masses.
"Less than 24 hours after the Uber hack news broke, the phishing attacks started," says Australian data breach expert Troy Hunt via Twitter.
Hunt's alert comes in the wake of IT consultant Dale Meredith warning that he'd flagged his first verified phishing email with an Uber theme, which asks for people to change their password. Of course, this isn't a valid password-change request but rather a way for crooks to capture people's legitimate passwords. Doing so allows criminals to log into any account that shares the same email address, for which the user has reused their password.""
Fun Fact: the screen shot of the example phishing email is one of KnowBe4's phishing templates we create for our customers. You can see it here:
https://www.bankinfosecurity.com/blogs/drive-by-phishing-scams-race-toward-uber-users-p-2566
Matt Schwartz at BankInfoSecurity had the best write-up. He started with: "Social Engineering the Masses: Ready, Set, Go"
"Indeed, hardly any time elapsed after Uber came clean Tuesday about the year-old breach it had concealed before crack teams of social engineers unleashed appropriately themed phishing messages designed to bamboozle the masses.
"Less than 24 hours after the Uber hack news broke, the phishing attacks started," says Australian data breach expert Troy Hunt via Twitter.
Hunt's alert comes in the wake of IT consultant Dale Meredith warning that he'd flagged his first verified phishing email with an Uber theme, which asks for people to change their password. Of course, this isn't a valid password-change request but rather a way for crooks to capture people's legitimate passwords. Doing so allows criminals to log into any account that shares the same email address, for which the user has reused their password.""
Fun Fact: the screen shot of the example phishing email is one of KnowBe4's phishing templates we create for our customers. You can see it here:
https://www.bankinfosecurity.com/blogs/drive-by-phishing-scams-race-toward-uber-users-p-2566
Only 12% of Organizations Are Likely to Detect a Sophisticated Cyber Attack
According to the EY survey of nearly 1,200 C-level leaders of the world’s largest and most recognized organizations, 12% of respondents are likely to detect a sophisticated cyber attack. Findings also show that 56% of those surveyed are making or planning to make changes to their strategies and allocate budget for cybersecurity to build stronger resilience to such attacks. More:
https://www.helpnetsecurity.com/2017/11/22/detect-sophisticated-cyber-attack/
According to the EY survey of nearly 1,200 C-level leaders of the world’s largest and most recognized organizations, 12% of respondents are likely to detect a sophisticated cyber attack. Findings also show that 56% of those surveyed are making or planning to make changes to their strategies and allocate budget for cybersecurity to build stronger resilience to such attacks. More:
https://www.helpnetsecurity.com/2017/11/22/detect-sophisticated-cyber-attack/
Canadian Business Banking Customers Hit With Targeted Phishing, Account Takeover Attacks
IBM X-Force research has been following the activity of a cybergang that has been targeting Canadian businesses with customized phishing attacks, likely operating out of Ukraine.
The attacks are designed to trick those with account access to divulge their company’s online banking credentials, one-time passwords and two-factor authentication codes.
The goal of this targeted phishing attack is to take the account over and transfer money to mule accounts that the criminals control. These attacks are a prime reason to step high-risk employees like Accounting, HR, C-level execs and Sales/Marketing through new-school security awareness training. More:
https://securityintelligence.com/canadian-business-banking-customers-hit-with-targeted-phishing-account-takeover-attacks/
IBM X-Force research has been following the activity of a cybergang that has been targeting Canadian businesses with customized phishing attacks, likely operating out of Ukraine.
The attacks are designed to trick those with account access to divulge their company’s online banking credentials, one-time passwords and two-factor authentication codes.
The goal of this targeted phishing attack is to take the account over and transfer money to mule accounts that the criminals control. These attacks are a prime reason to step high-risk employees like Accounting, HR, C-level execs and Sales/Marketing through new-school security awareness training. More:
https://securityintelligence.com/canadian-business-banking-customers-hit-with-targeted-phishing-account-takeover-attacks/
In the UK, Under 25s More Likely to Be Duped by Phishing Scams
The UK's ‘Get Safe Online Week’ took place in late October. The week addressed the lack of awareness that still exists around surfing the internet securely, and promoted best practice advice from security experts to reduce the frequency that people fall victim to cybercrime.
As part of the event, the "Get Safe Online" organisers published survey findings that revealed that under 25s are now more than twice as likely to fall victim to ‘friends and family’ phishing scams than baby boomers (over 55s).
Furthermore, not only are they being duped more often, but they’re also being scammed out of more money each time – typically losing £613 compared to £214 by the older generation. The survey went on to identify phishing as the tactic used most often to trick unfortunate victims into handing over cash. More:
https://www.itproportal.com/features/under-25s-more-likely-to-be-duped-by-phishing-scams/
The UK's ‘Get Safe Online Week’ took place in late October. The week addressed the lack of awareness that still exists around surfing the internet securely, and promoted best practice advice from security experts to reduce the frequency that people fall victim to cybercrime.
As part of the event, the "Get Safe Online" organisers published survey findings that revealed that under 25s are now more than twice as likely to fall victim to ‘friends and family’ phishing scams than baby boomers (over 55s).
Furthermore, not only are they being duped more often, but they’re also being scammed out of more money each time – typically losing £613 compared to £214 by the older generation. The survey went on to identify phishing as the tactic used most often to trick unfortunate victims into handing over cash. More:
https://www.itproportal.com/features/under-25s-more-likely-to-be-duped-by-phishing-scams/
Try the Weak Password Test for a Chance to Win a Nintendo Switch
Are your user’s passwords...P@ssw0rd? Verizon's recent Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords. (The recent Bad Rabbit ransomware attack is a scary example of this.) Employees are the weakest link in your network security.
KnowBe4's Weak Password Test checks your Active Directory for 10 different types of weak password related threats and reports any fails so that you can take action. Plus, you’ll be entered to win a Nintendo Switch.
Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless-steel lock-pick business card!
To enter just go here fill out the form, it's quick, easy and often a shocking discovery. Yep, it’s that easy. Hurry, deadline to enter is Nov 30th...
https://info.knowbe4.com/wpt-sweepstakes-082017
Are your user’s passwords...P@ssw0rd? Verizon's recent Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords. (The recent Bad Rabbit ransomware attack is a scary example of this.) Employees are the weakest link in your network security.
KnowBe4's Weak Password Test checks your Active Directory for 10 different types of weak password related threats and reports any fails so that you can take action. Plus, you’ll be entered to win a Nintendo Switch.
Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless-steel lock-pick business card!
To enter just go here fill out the form, it's quick, easy and often a shocking discovery. Yep, it’s that easy. Hurry, deadline to enter is Nov 30th...
https://info.knowbe4.com/wpt-sweepstakes-082017
Interesting News Items This Week
Google admits tracking users' location even when setting disabled:
http://www.zdnet.com/google-amp/article/google-admits-tracking-users-location-even-when-setting-disabled/
Norway issues Holiday phishing warning. Note: Warnings getting closer to Santa's base of operations:
https://www.telecompaper.com/news/telenor-norway-warns-of-hacking-and-phishing-ahead-of-black-friday--1221526
I was on TV, interviewed about the iPhone X facial recognition vulnerabilities:
http://www.abcactionnews.com/money/consumer/cyber-security-expert-iphone-x-facial-recognition-is-vulnerable
Over 400 Popular Sites Record Your Every Keystroke and Mouse Movement. Yikes!:
https://thehackernews.com/2017/11/website-keylogging.html
DDoS Attack Attempts Doubled in 6 Months:
https://www.darkreading.com/mobile/ddos-attack-attempts-doubled-in-6-months/d/d-id/1330460?
Millions of Computers Affected By Intel Firmware Flaws:
https://www.bankinfosecurity.com/millions-computers-affected-by-intel-firmware-flaws-a-10464
Ransomware damage costs predicted to hit 11.5 billion dollars by 2019:
https://www.csoonline.com/article/3237674/ransomware/ransomware-damage-costs-predicted-to-hit-115b-by-2019.html
When Russia's most notorious hackers hired servers from a UK-registered company, they left a trove of clues behind, the BBC discovered. Sloppy Hacker OpSec:
http://www.bbc.com/news/technology-42056555
Google admits tracking users' location even when setting disabled:
http://www.zdnet.com/google-amp/article/google-admits-tracking-users-location-even-when-setting-disabled/
Norway issues Holiday phishing warning. Note: Warnings getting closer to Santa's base of operations:
https://www.telecompaper.com/news/telenor-norway-warns-of-hacking-and-phishing-ahead-of-black-friday--1221526
I was on TV, interviewed about the iPhone X facial recognition vulnerabilities:
http://www.abcactionnews.com/money/consumer/cyber-security-expert-iphone-x-facial-recognition-is-vulnerable
Over 400 Popular Sites Record Your Every Keystroke and Mouse Movement. Yikes!:
https://thehackernews.com/2017/11/website-keylogging.html
DDoS Attack Attempts Doubled in 6 Months:
https://www.darkreading.com/mobile/ddos-attack-attempts-doubled-in-6-months/d/d-id/1330460?
Millions of Computers Affected By Intel Firmware Flaws:
https://www.bankinfosecurity.com/millions-computers-affected-by-intel-firmware-flaws-a-10464
Ransomware damage costs predicted to hit 11.5 billion dollars by 2019:
https://www.csoonline.com/article/3237674/ransomware/ransomware-damage-costs-predicted-to-hit-115b-by-2019.html
When Russia's most notorious hackers hired servers from a UK-registered company, they left a trove of clues behind, the BBC discovered. Sloppy Hacker OpSec:
http://www.bbc.com/news/technology-42056555
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- The new amazing video from OK Go features lots and lots of printers:
https://www.youtube.com/watch?v=LgmxMuW6Fsc
- Amazing and impressive water bottle flips performed by Texas-based trick shot group 'Dude Perfect.':
http://www.flixxy.com/water-bottle-flip-2-dude-perfect.htm?utm_source=4
- People Are Awesome: Best of Week 40. Some good ones here!:
http://www.flixxy.com/people-are-awesome-best-of-week-40.htm?utm_source=4
- People Are Awesome: Everyone needs a helping hand sometimes. Teamwork:
http://www.flixxy.com/people-are-awesome-better-together.htm?utm_source=4
- How to Move a Refrigerator. An amazing way to move a refrigerator to another house:
http://www.flixxy.com/how-to-move-a-refrigerator.htm?utm_source=4
- Hollywood-based magician John Lovick performs a torn and restored handbill trick that magic icons Penn and Teller can't explain:
http://www.flixxy.com/handsome-magician-fools-penn-and-teller.htm?utm_source=4
- Rev up your day with a freestyle motocross rider famous for his unique tricks and style:
http://www.flixxy.com/the-epic-backyard-of-freestyle-motorcyclist-tom-pages.htm?utm_source=4
- 'Mailo' the African Gray Parrot solves multiple puzzles to get get his treat, which his owner placed behind a series of 5 locks:
http://www.flixxy.com/smart-parrot-solves-five-puzzles-to-get-his-treat.htm?utm_source=4 - For the kids: Watch this beautiful and touching 3D animated story of a fox, a mouse and two owls - to the song 'Take On Me' by Andrea Begley:
http://www.flixxy.com/the-fox-and-the-mouse-beautiful-holiday-commercial.htm?utm_source=4
