CyberheistNews Vol 8 #11 [ALERT] "A Really Difficult Phishing Scenario That's Very Hard To Beat"




CyberheistNews Vol 8 #11
[ALERT] "A Really Difficult Phishing Scenario That's Very Hard To Beat"

I was alerted by a customer about a really difficult scenario that’s becoming all the more frequent. While there’s probably little that can be done in terms of tuning your spam filters and endpoint security tools, new-school security awareness training can make a difference. Here is the story:

"Over the past few months, we have been hit with increasing frequency with an attack that follows this 5-step pattern;
    • A known vendor or customer falls victim to a phishing attack. Their email credentials are compromised, and the “bad guy” gets access to their email account.
    • They start by changing the password, so that the victim no longer has control.
    • They then comb through past email correspondence, and using the victim’s account, signature, and logo, send out targeted emails crafted to closely resemble legit correspondence they have had with our company in the past.
    • Depending on the “bad guy’s” dedication to his craft, these could be fairly generic, or extremely specific. We’ve received one with an inquiry that referenced a specific real invoice # for that individual.

    • The email always includes a spreadsheet or PDF. The name can be generic, or can be really specific. We’ve received one titled with a specific real invoice # for that individual.
Because these emails are coming from a real email account for a real business partner, they are very hard to identify, and in some cases they are literally impossible to detect, as they are carefully crafted copies of past legitimate emails. Naturally, there are a few that cast a wide net, so they are more generic and often contain corrupted grammar or spelling, but others are indistinguishable from real emails."

What To Do About This Threat

Granted, this is a frustrating and dangerous situation, as the majority of the red flags users have been trained to watch for simply aren’t present if the scammer uses a highly targeted approach like this.

However, there is one cardinal rule that you need to stress with your users to protect against a scenario like this: DID THEY ASK FOR THE ATTACHMENT?

If they did not, before the attachment is opened, it's a very good idea to double check using an out-of-band channel like the phone to call and ask if they sent this and why it was sent . There is little else that can be done.

Yes, that is a little more work. But also, better safe than sorry. You have to constantly work on and reinforce your security culture, anywhere in the world.
Surprise FTC Study: *Millennials* Are The Biggest Victims Of Social Engineering

A report from the FTC found that 40% of adults age 20-29 lost money to fraud, while only 18% of adults over the age of 70 did so, challenging the narrative of older adults falling victim to scams.

Report after report has found that younger adults are the biggest victims of scams. IT leaders need to make sure those users are properly trained on cybersecurity policy and treated like all other employees in regards to security.

Story, infoGraphic and links at the KnowBe4 Blog:
https://blog.knowbe4.com/ftc-study-millennials-are-the-biggest-victims-of-social-engineering
30-second Survey: "I wish I had a tool to..."

When an end-user fell for a social engineering attack, ever had that feeling: "I just wish I had a tool to...." but lacked that tool? Take 30 seconds and let us know what that tool would be?

Please let me know at this link to Surveymonkey. It may be redirected, so please copy and paste this in your browser:
https://www.surveymonkey.com/r/lackingtools

Thanks very much in advance!
Social Engineering At The Heart Of Fileless Malware Attacks

Fileless malware is not new, but it is quickly gaining traction among attackers as a common method of compromise. After all, it is stealthy, efficient and capable of evading conventional security systems.

Today, fileless malware is more than 50% of all attacks. A fileless attack doesn't depend upon installing malicious code in a victim's machine. Instead, the attack subverts legitimate tools in a browser, or an operating system like Windows, turning them against the user.

This form of attack is attractive because it's relatively stealthy and difficult for legacy antivirus systems to detect. Basic hygiene, like patching and least privilege policies, is important, but more important are wary users attentive to their risks. Most fileless malware is distributed by social engineering: phishing, malvertising, watering holes and the like.

The careless or insufficiently alert can be manipulated to give attackers the means of exploiting weaknesses in browsers or operating systems. Interactive training is seen as a good way of increasing a business's level of protection.

These technical security measures do not, however, address the issue of human gullibility, which is integral to propagating fileless malware. A fileless malware infection can be spread via a phishing email, malvertising, watering hole or malicious download, containing a link that, once clicked, enables attackers to exploit security weaknesses in the browser or other applications, and use legitimate programs to execute their own commands.

Several of these delivery vectors utilize some form of social engineering. This reinforces the need for organizations to train their users on how to recognize and resist social engineering tactics.

Security awareness training for users should be regular and interactive. The aim is to ensure employees are aware of security risks to the organization and adopt security-conscious behavior. Full article:
http://www.computerweekly.com/opinion/Security-Think-Tank-Social-engineering-at-the-heart-of-fileless-malware-attacks
Half of Ransomware Victims Recovered Their Data After Paying the Ransom Demand

A massive survey of nearly 1,200 IT security practitioners and decision makers across 17 countries reveals that half the people who fell victim to ransomware infections last year were able to recover their files after paying the ransom demand.

The survey, carried out by research and marketing firm CyberEdge Group, reveals that paying the ransom demand, even if for desperate reasons, does not guarantee that victims will regain access to their files.

Timely backups are still the most efficient defense against possible ransomware infections, as it allows easy recovery.

Over a quarter of all victims lost their data for good

The survey reveals that 55% of all responders suffered a ransomware infection in 2017, compared to the previous year's study, when 61% experienced similar incidents.

Of all the victims who suffered ransomware infections, CyberEdge discovered that 61.3% opted not to pay the ransom at all. Some lost files for good (8%), while the rest (53.3%) managed to recover files, either from backups or by using ransomware decrypter applications.

Of the 38.7% who opted to pay the ransom, a little less than half (19.1%) recovered their files using the tools provided by the ransomware authors.

The rest (19.6%) lost their data. Ransomware authors either didn't provide ransomware decryption instructions or apps, or these tools did not yield expected results.

Overall, the study found that over a quarter of ransomware victims (27.6%) lost their data for good, either by paying or not paying the ransom demand.

Lack Of Security Awareness A Tie With Lack Of Skilled Personnel

They wrote: "Each year, we ask respondents to tell us what’s inhibiting them from defending their respective organizations against cyberthreats. In other words, what’s standing in their way?

When we first asked the question in 2013 (for our 2014 CDR), we thought for sure that “lack of budget” would come out on top. We were shocked when it only came in at second place, right after “low security awareness among employees.” But what’s even more surprising is that “low security awareness among employees” remained the top concern among security professionals for the next three years – until this year (see Figure at KnowBe4 blog).

In 2018, there is a new king of security inhibitors – “lack of skilled personnel.” But if you’ve been paying close attention to inhibitor rankings over the last four years, this shouldn’t come as a surprise: 2014: fifth place; 2015: fourth place; 2016: third place; 2017: second place; 2018: first place.

This doesn’t mean that “low security awareness among employees” is no longer of concern. Far from it. In fact, it was only nudged out of first position by one-hundredth of a point. Furthermore, you could say that there was a virtual three-way tie for first place, with “too much data to analyze” also one-hundredth of a point behind.

Stepping onto our proverbial soap box for a moment, we want to reiterate our shock and disappointment about IT security organizations’ not doing enough to train company personnel about how to minimize cybersecurity risks through safe computing. (Hello? Is anyone listening? Bueller? Bueller?)

Suffering from a shortage of high-quality security talent is completely understandable. But failing – year after year – to invest in your company’s “human firewall” is both inexplicable and inexcusable. Okay, we’ve put away our soap box until next year".

7 other findings anf figures of the CyberEdge survey at the KnowBe4 Blog:
https://blog.knowbe4.com/half-of-ransomware-victims-recovered-their-data-after-paying-the-ransom-demand
Live Webinar: What Most Computer Security Defenses Are Doing Wrong and How to Fix It

Most companies have huge gaps in their computer security defenses, and can be compromised at will by a determined hacker. The industry even has a term for it: “Assume Breach”.

But it doesn’t have to be that way!

Join Roger A. Grimes, a 30-year computer security consultant and author of 10 books, for this live webinar where he will explore the latest research on what’s wrong with current network defenses and how they got this way. Roger will teach you what most organizations are doing wrong, why, and how to fix it. You’ll leave this webinar with a fresh perspective and an action plan to improve the efficiency and effectiveness of your current computer security defenses.

In this live webinar, Roger will show you:
  • What most companies are doing wrong, why, and how to fix it
  • An action plan to improve the effectiveness of your computer security defenses
  • How to create your “human firewall”
Attend this webinar and never think about computer security the same way again.

Date/Time: Thursday, March 15th at 2:00 PM ET
Register Now:
https://attendee.gotowebinar.com/register/8328692117828337921?source=CHN
How Vulnerable Is Your Network Against Ransomware Attacks? Find Out For A Chance To Win!

Bad guys are constantly coming out with new versions of ransomware strains to evade detection. Is your network effective in blocking ransomware when employees fall for social engineering attacks?

KnowBe4’s free Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection. Plus, you'll be entered to win an awesome 34-Inch Curved UltraWide LG Monitor. To make it even better, we’ll pick 3 winners!

RanSim has been downloaded thousands of times and run against dozens of AV products. The results have been an eye-opening experience for many IT pros.

Find out if you’re vulnerable now!
https://info.knowbe4.com/ransim-sweepstakes-march-2018
Live Webinar: Securing the Human Layer

The intersection between technology and human security is a difficult challenge for any organization to tackle, and although detection technologies are advancing, criminals are rapidly evolving their techniques and tactics to even greater levels of sophistication.

Their attacks are difficult to detect, and even security administrators themselves fall victim.

Join Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4, as he explains the value of better understanding human nature, patterns and success practices when using technology to build a more secure operating environment.

Hear practical advice on how to make both security and technology work with (rather than against) human nature to help reduce technology friction and simultaneously raise the security posture and resilience of the organization.

Key Topics covered in this Webinar:
  • Looking at the multi-dimensional nature of security
  • Finding relevant intersections between technology & behavior
  • Strategies to make awareness stick
  • Brainstorming activities for planning your custom "Human Firewall"
This webinar will help you take your awareness program to the next level.

Date/Time: Thursday, March 22nd at 2:00 PM ET
Register Now: https://attendee.gotowebinar.com/register/5050817056946768130?source=CHN

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"I would like to thank everyone involved in Three Billboards, and everyone who's ever looked at a billboard." - Sam Rockwell, getting a 2018 Best Supporting Actor Oscar

"I just want to thank everybody I've ever met in my entire life."
- Kim Basinger, receiving the Oscar for Best Supporting Actress, L.A Confidential (1997)

"Don't ever become a pessimist... a pessimist is correct oftener than an optimist, but an optimist has more fun, and neither can stop the march of events." - Robert A. Heinlein - Writer (1907 - 1988)



Thanks for reading CyberheistNews
Security News
Social Engineering, Not Zero Days

Most cyber attacks are not matters of sophisticated, never-seen-before zero days. That happens, but it's not the norm. What is the norm is social engineering. Users fall victim to criminal hackers who abuse their trust.

We often think of these tactics as being the exclusive province of common criminals, but in fact they're the dominant form of attack in cyberspace. It's thought that the state actors who recently intruded into sensitive German government networks got in by phishing.

That's because social engineering is effective. And of course on the other end the petty crooks see the same efficacy. Homeowners in Australia's state of Victoria were recently victimized by phishing emails in which the sender impersonated a realtor asking for payment of fees due. Hundreds of thousands were lost.

Today, awareness training is a must-do piece of your IT security puzzle. Story at CSO:
https://www.cso.com.au/article/634433/social-engineering-new-norm-hacking/
Words Frequently Misused (by Phishers)

Social engineering extends even to the names given malicious files. Attackers will include words likely to be attractive to the target in the hope of inducing the target to open the file and download the maliciously crafted document.

The SANS Institute looked at a large number of phishing emails and compiled a set of words that appeared as bait in attachment file names. The list doesn't of course amount to a collection of indicators, but it's suggestive.

Users who are looking closely at filenames may be warier than most, and the attackers seem to want an extra layer of persuasion and plausibility. See the interesting SANS list here:
https://isc.sans.edu/forums/diary/Common+Patterns+Used+in+Phishing+Campaigns+Files/23403/
DHL Shipping Phishing Attack Serves A Keylogger

Fake shipping notices purporting to be from DHL are in circulation. The phishing emails include an attachment whose payload is a keylogger. The text is old-school with poor English usage and grammar. That should put trained and aware users on their guard.

Training can help employees see through text like this: "Attached is the Original Shipping documents and BL as assigned to deliver to you. Notification for shipment event group 'Picked up' for 10th March 2018." See MyOnlineSecurity for more:
https://myonlinesecurity.co.uk/fake-dhl-shipment-notification-delivers-a-password-stealer-keylogger/
Mining Is The New Black: CryptoJacking Polyvalent Malware Via Email

Cryptojacking malware has so far tended to concentrate on one particular cryptocurrency, but that seems to be changing. Palo Alto Networks warns that it's observed a polyvalent cryptojacking attack that's equally capable of pilfering Bitcoin, Ethereum, Litecoin, and Monero.

"ComboJack," as the miner is called, works against the user's clipboard. It takes advantage of users' propensity to copy and paste addresses rather than go through the trouble of retyping the each time they're needed. The malware looks for wallet addresses in the clipboard and replaces them with the address of the criminals' wallet.

This technique has been used by the Evrial Trojan and CryptoShuffler malware. It's now being employed against a range of e-currencies. Most of the victims of ComboJack have so far been in the US and Japan. It's delivered through phishing.

The malicious payload is carried in a PDF file attached to the email. That PDF contains an embedded rich text file that carries an exploit for CVE-2017-8579, a known vulnerability that had previously been used to deliver FinFisher spyware. See Security Week:
https://www.securityweek.com/combojack-malware-steals-multiple-virtual-currencies
Social Media Phishing Rises

Phishing related to financial institutions has long been the norm. This may be changing, however. While banks are still targeted, increasingly criminals are experimenting with phishing campaigns that seek to compromise social media.

These attempts seem to be prompted by the increasing involvement of social media in financial transactions, but also as a kind of way station en route to further, more directly lucrative attacks. Alert your employees to the likelihood that phishing will take on an increasingly social character. Security Brief has more information:
https://securitybrief.com.au/story/social-media-phishing-rise-as-attackers-experiment-tactics/
Finally Some Business Email Compromise Busts

Business email compromise (BEC)—also known as CEO Fraud—continues to be a problem for both large and small organizations. In business email compromise, a scammer impersonates a company official in an email that directs employees to transfer large amounts of money to bank accounts controlled by the bad guys.

Sometimes the criminals are caught. Police in France and Belgium have arrested seven conspirators in a BEC scheme that netted them some €1.2 million.

The losses in a BEC scam can be high, particularly when they involve fraudulent wire transfers, and they easily cross national boundaries, which can make recovery difficult. In this case the suspects arrested were for the most part Romanian, their targets Belgian and French. See the story in Security Week:
https://www.securityweek.com/two-scammers-five-mules-arrested-bec-bust
What Our Customers Are Saying About Us

Happy Customer: "The entire purchase process was smooth and our Account Manager was terrific! I was pleasantly surprised when the Customer Success Manager reached out to me and wanted to know how to help. Your company must be a wonderful place to work!" - N.E., IT Systems

Happy Customer: "I wanted to tell you that we are very satisfied with the training and phishing service we have got from your company!" - M.R., HR & Records Management Specialist
Interesting News Items This Week

Cyber attacks becoming No. 1 business risk:
https://www.helpnetsecurity.com/2018/03/07/cyber-attacks-business-risk/

Inside the Profitable Underworld of Ransomware:
http://www.govtech.com/security/Inside-the-Profitable-Underworld-of-Ransomware.html

Russia’s Fancy Bear Hacks its Way Into Montenegro:
http://www.balkaninsight.com/en/article/russia-s-fancy-bear-hacks-its-way-into-montenegro-03-01-2018

Schools Teach 'Cyber Hygiene' to Combat Phishing, Identity Theft:
https://www.edweek.org/ew/articles/2018/03/07/schools-teach-cyber-hygiene-to-combat-phishing.html

Cyberspace is the New Battlespace:
https://www.lawfareblog.com/cyberspace-new-battlespace

Ransomware Trends to Watch in 2018:
https://www.recordedfuture.com/ransomware-trends-2018/

FBI Director tells Boston College gathering that cyber threats ‘coming at us from all sides.’:
https://www.bostonglobe.com/metro/2018/03/07/fbi-director-tells-boston-college-gathering-that-cyber-threats-coming-from-all-sides/yD3vfr0JbJDN083jZVjEqL/story.html

An unconventional spam campaign has been delivering unusual cryptocurrency-stealing malware to American and Japanese users:
https://www.helpnetsecurity.com/2018/03/06/cryptocurrency-stealing-malware/

‘Technology alone can’t defeat cybercrime’ in the UK:
https://portswigger.net/daily-swig/technology-alone-cant-defeat-cybercrime

UK National Cyber Security releases useful InfoGraphic to reduce cybercrime:
https://www.ncsc.gov.uk/white-papers/common-cyber-attacks-reducing-impact

Digging Deep: New Crypto-Mining Scams Silently Steal Millions:
https://securityintelligence.com/news/digging-deep-new-crypto-mining-scams-silently-steal-millions/

Vulnerability In Robots Can Lead To Costly Ransomware Attacks:
http://www.hackbusters.com/news/stories/2756489-vulnerability-in-robots-can-lead-to-costly-ransomware-attacks

Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • An eagle-eyed person in the picturesque seaside town of Porto Cesareo, Italy, managed to capture a trio of McLarens on video, including a Senna with a little camouflage still on it. The new hypercar is still rare enough that seeing one anywhere is very special:
      https://www.motor1.com/news/234819/mclaren-senna-spy-video/

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews