CyberheistNews Vol 8 #14 Report: Ransomware Is the New Normal. 52% Have Lost Faith in Antivirus and 44% Agree AV Is Dead

CyberheistNews Vol 8 #14
Report: Ransomware Is the New Normal. 52% Have Lost Faith in Antivirus and 44% Agree AV Is Dead

A new report on malware says that the majority of companies globally have been victims of ransomware in the last 12 months.

52% Have Lost Faith in Antivirus and 44% Agree AV Is Dead

A new report says that ransomware attacks are the new normal for IT. There are a lot of numbers to chew on in the report, but the sheer enormity of the problem may be the most surprising result.

SentinelOne's new Global Ransomware Report 2018 found that ransomware is now something that more than half (56%) of companies have faced in the past two months. That's up from 48% who said the same thing in the firm's 2017 report.

And when it comes to being a ransomware victim, how you respond matters: 45% of US companies hit with a ransomware attack last year paid at least one ransom, but only 26% of these companies had their files unlocked. Companies paying the ransom were attacked again 73% of the time.

Almost every company reporting an attack (97%) said that they had backups for the files affected by the ransomware, and 51% said backups and the ability to self-recover were their reason for not paying the ransom.

Story at KnowBe4 Blog with link to the whitepaper. SentinelOne also created a PDF with an InfoGraphic. This is budget ammo you need to have:

The New 2018 Threat Impact and Endpoint Protection Report

In short: Ransomware isn't going away and it's not slowing down. Ransomware is a multi-billion dollar business with the number of new ransomware variants continuing to grow quarter-over-quarter. Despite the many security offerings available, organizations continue to fall victim to ransomware attacks.

For this brand new report, we surveyed businesses across all industries to find out what they're doing to defend themselves. We thoroughly examined who is at risk, what the scope and cost of an attack is, how organizations are protecting themselves from ransomware, and the effectiveness of their endpoint protection.

Find out what is really the best way to combat the threat of ransomware. The results might surprise you:
Scam of the Week: 150 Million MyFitnessPal Users Are Now Phishing Targets

  • Under Armour's health- and fitness-tracking app, MyFitnessPal, has been hit by a data breach.
  • Roughly 150 million MyFitnessPal users are affected, Under Armour says.
  • Under Armour says an "unauthorized party" gained information like usernames and email addresses, but not payment details.
"Under Armour is working with leading data security firms to assist in its investigation, and also coordinating with law enforcement authorities," the company said in a statement. "The investigation indicates that the affected information included usernames, email addresses, and hashed passwords — the majority with the hashing function called bcrypt used to secure passwords."

Under Armour will require MyFitnessPal users to change their password and is "urging users to do so immediately." The company is also encouraging users to review their accounts for suspicious activity and be cautious of any unsolicited messages asking for personal information.

This is a phishing bonanza and I'm willing to bet a hundred bucks that the cyber mafia is already working on campaigns to exploit this breach.

I would email your employees, family and friends something to this extent, you're welcome to copy/paste or edit:

"It's all over the news. A 150 million database with user names and passwords of Under Armour's super popular MyFitnessPal app has been hacked. Cyber criminals are going to use this to scare you into clicking on phishing emails and infect your computer with malware or manipulate you into giving out personal information.

"If you receive an email that claims your personal MyFitnessPal information has been hacked, and that you need to click on links to change your password or open attachments to find out how to protect yourself, be very careful. Do not click on links, do not open attachments, and if there is a reference to a website with more information, type the web address in your browser.

For KnowBe4 customers, inoculate your employees before they get hit with this Scam of the Week, at the house or in the office. Send them our new template from the Current Events campaign: "MyFitnessPal". If you aren't a KnowBe4 customer yet, ask for a quote and be pleasantly surprised:
ANNOUNCEMENT - Brand New Tool: Mailserver Security Assessment [It's Free]

Do you know what's getting through your mail filters?

KnowBe4 is excited to announce that now you can use our brand new, innovative Mailserver Security Assessment (MSA), to help you assess your organization’s mailserver configuration settings and check the effectiveness of your email filtering rules.

With email still the #1 attack vector used by the bad guys, MSA helps you to see what types of messages may make it through your filters from the outside.

A recent Cyren Email Security Gap Analysis discovered an astounding average miss rate of 10.5% in which enterprise email security systems missed spam, phishing and malware attachments.

MSA gives you a quick insight at how your mailserver handles test messages that contain a variety of different message types including email with attachments that contain password-protected, macro zipped, and .exe files or have spoofed domains.

Here’s how MSA works:
  • 100% non-malicious packages sent
  • Select from 30+ automated email message types to test against
  • Saves you time! No more manual testing of individual email messages when you use MSA's automated send, test, and result status.
  • Validate that your current filtering rules work as expected
  • Results in an hour or less!

Find out now if your mailserver is configured correctly, many are not!
Going to RSA in San Francisco This Year? Here's Your Exhibit Hall Pass

Drop by KnowBe4’s Booth 5004, North Hall at the Kevin Mitnick New Book Signing! Meet the ‘World’s Most Famous Hacker’, get a signed copy of his new book: Tuesday, April 17, 3-6pm at KnowBe4’s Booth.

Get your light-up "Axe To Grind With Ransomware!" swag, and see a demo of the innovative KnowBe4 Security Awareness Training Platform to train and phish your users. Plus, be entered to win a DJI Spark Drone.

Don’t have a pass yet? We’ve got you covered. Use code X8EKNOWB to register for your complimentary Exhibit Hall Only Pass. We'll see you at Booth 5004:
FBI: "Tech Support Scam Losses Rise 86%"

One would think the familiar tech support scam would be played out by now. It's not. This is the bit of social engineering in which the scammers convince their victims that their system has a problem only the scammers can resolve. They make phone calls, place search engine ads, use pop-up messages, display locked screen messages, or, of course, send phishing emails in which they pose as "tech support," or "the help desk."

They most commonly represent themselves as being from "Microsoft," which of course they are not. The FBI's Internet Crime Complaint Center (IC3) has released its figures for 2017, and they're discouraging. Victims suffered $15 million in losses, which actually represents an increase of 86% over 2016.

The criminals have introduced a few new wrinkles into this old scam, according to the Bureau: "Some recent complaints involve criminals posing as technical support representatives for GPS, printer, or cable companies, or support for virtual currency exchangers," so it's no longer all Microsoft all the time.

This kind of social engineering, like the equally familiar Nigerian advance-fee scams, can be addressed with realistic awareness training and well-known policies. Here's one sound policy all organizations with an IT department or a help desk should start with: make sure your employees know that no one will ever ask for their credentials over the phone or by email. And here is the official FBI website post:
Don't Sabotage Your Own Security, Train Your Users

Veteran IT Security Editor Wayne Rash and I talked for about half an hour earlier this week. He wrote an excellent article that I warmly recommend.

He started out with: "Turns out, your users are good for more than just generating trouble tickets. One of those areas is filtering out bad guys, provided you give them a little in the way of know-how." Wayne continued with nine steps that your organizations can take to fight social engineering attacks. Good read!

6 Myths CEOs Believe About Security

And while we are talking good reads, here is a great article by Roger Grimes about 6 myths your CEO believes about security, and what you can do to get a more effective IT security strategy. Dispel your CEO and senior management of these common cybersecurity misconceptions. Excellent points, and it ends with a recommendation for more training. Find out what they are at CSO:
Don’t Miss the April Live Demo: Simulated Phishing and Awareness Training

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, April 4, 2018, at 2:00 PM (ET) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
  • NEW Industry Benchmarking feature enables you to compare your organization’s Phish-prone percentage™ with other companies in your industry.
  • Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting.
  • Customized Automated Security Awareness Program creates a fully mature training program in just a few minutes!
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-To Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 17,000+ organizations have mobilized their end-users as their last line of defense.

Register Now:

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Happiness resides not in possessions, and not in gold, happiness dwells in the soul."
- Democritus - Philosopher (460 - 370 BC)

"There are three sides to every story: your side, my side, and the truth. And no one is lying."
- Robert Evans - Movie Producer (born 1930)

Thanks for reading CyberheistNews
Security News
Football Club Lazio Victim of 2.5M CEO Fraud Scam

Football, and we mean by this what Americans call "soccer" is big business. It's also susceptible to business email compromise, aka CEO fraud. Here's one that just came to light. When a player moves from one club to another, there are transfer fees to be paid in the course of the movement.

These are roughly the equivalent of the "cash considerations" one hears about in American baseball trades. Such fees can be very large. For example, Stefan de Vrij of the Netherlands moved from Dutch squad Feyenoord to the Italian football club Lazio a few years ago.

His transfer fee was to be paid by Lazio in several installments, the last of which was scheduled for this year. That final payment was substantial: €2 million, or roughly $2.5 million. Unfortunately Lazio's payment didn't reach Feyenoord.

A CEO fraud email convinced Lazio's financial department to send the money to a "new" Feyenoord bank account. The new account was controlled by criminals, of course. We imagine the crooks cried "GOOOOAAL." when the payment cleared.

To protect your organization from this kind of scam, raise employee awareness of the dangers of phishing in all of its forms. You might use the Lazio story as am example. Most importantly, implement policies and procedures to prevent your employees from changing customer payment information without appropriate verifications and safeguards.

Two-person control over account changes and fund transfers isn't sufficient, but it's a good first step. Naked Security has the story, Lazio gets a red card:
European Police Sweep up Phishing Gang

Tax season scams are international. Some good news: police in Italy and Romania rolled up a spear phishing gang in raids conducted on March 28th. The arrests of eleven Italians and nine Romanians came at the end of a two-year long cybercrime investigation cooperatively conducted by the Romanian and Italian National Police, with the support of Europol's Joint Cybercrime Action Taskforce (J-CAT) and Eurojust.

The criminal group, which police regarded as well-organized and sophisticated in its approach, took in about €1 million in banking scams. The criminals impersonated tax agencies or other legitimate authorities, like banks, in their social engineering of the victims. Once hooked, the marks were manipulated into giving up their banking credentials. Help Net Security has the story:
UK Found to Be ‘Most Resolute’ Country at Dealing With Ransomware

Ransomware is costing UK companies a whopping £346 million every year, despite Britain being labeled ‘the most resolute’ country for dealing with the cyber attacks.

In fact, more than 40 percent of mid-large UK business suffered on average five ransomware attacks during the last year, according to research by Vanson Bourne.

However, 92 per cent of security professionals feel confident in their ability to combat ransomware in the future. And there was more good news for British. The survey found the UK to be the most resolute, both in refusing to pay ransom demands, as well as the most effective in combating them.

They experience the fewest number of attacks: 40 percent, versus 70 percent in Germany, 59 percent in France and 55 percent in the USA and enjoy a 43 percent success rate in successfully defending against attacks. More:
30-second Survey: "I wish I had a tool to..."

When an end-user fell for a social engineering attack, ever had that feeling: "I just wish I had a tool to...." but lacked that tool? Take 30 seconds and let us know what that tool would be?

Please let me know at this link to Surveymonkey. It may be redirected, so please copy and paste this in your browser. Thanks very much in advance!
SAM.Gov Hackers Were Handed Spear Phishing, Spoofing & Credential Theft on a Gold Platter

Cybercrooks who stole federal payments by hacking contractor accounts on a GSA website used sophisticated spear phishing techniques to steal login credentials and then diverted payments to bank accounts they controlled, an executive of a contractor targeted in the scam told FedScoop.

It’s unclear how much the scammers have netted through their scheme, which is being investigated by the GSA inspector general and federal law enforcement.

The inspector general’s office declined to comment, but sources familiar with the investigation told FedScoop that the cyberattacks that facilitated the fraud had been identified last year and were ongoing as recently as last week.

According to the executive, the spear phishing was enabled by shoddy security on the website itself, GSA’s System for Award Management, or, which didn’t provide two-factor authentication or use an email protocol designed to protect against incoming emails with spoofed domain names in their addresses.

Targeting was also aided by the rich data the website provided.

The scammers “didn’t need to do any reconnaissance or research, the usual kind of social media engineering” to find out who at each company controlled the account, the executive said. “ handed them the targeting intelligence they needed for the campaign.” Full horror story at the KnowBe4 Blog:
What Our Customers Are Saying About Us

"Yes we are very happy with the results of the training. Many of our customers are government contractors so we began this mainly a result of the NIST 800-171 requirement being flowed down to us. We are finding however that it is something we probably should have started a long time ago. Thanks for checking in."
Thanks, C.P.

"Just so you know, on Tuesday I went to a function called “TECH TALK” where several banks in the area get together twice a year and discuss IT and security related issues, what they do as well as what software we use, etc. There were about 20 banks represented there. Long story short, about 60% of the group use your product and are happy with it.

Back in February I when to an IBAT security conference and the result was about the same. That is where I learned about your product and now we’re a customer. I would say good luck with your company; however, the great product takes luck out of the equation. Thought you might want to hear that. Thanks and take care!"
- M.R.
Interesting News Items This Week

The FBI's 10 Most-Wanted Black-Hat Hackers - Here are all the mug shots!:

Destructive and False Flag Cyberattacks to Escalate:

An exclusive look behind the scenes of the U.S. military’s cyber defense:

Iranian Hackers Charged Last Week Were Actually Pretty Darn Good Phishers:

The Grim Conclusions of the Largest-Ever Study of Fake News:

How Westpac dealt with its first phishing attack 15 years ago:

Scientists trace ransomware payments across the globe:

Ransomware isn't an easy area to study. Organizations and individuals that fall victims to file-encrypting malware rarely publicize their anguish, and cyber criminals running ransomware campaigns don't publish annual revenue reports:

Symantec Reports: Mobile Malware Increased by 54%:

7 keys to an effective anti-phishing program from Health Data Management:

Cyberattacks Now #1 Threat To Swiss Banks - Information Security Buzz:

Crypto mining runs rampant in higher education: Is it students?:

1.4B stolen passwords are free for the taking: What we know now:

Handling Breaches at the Bureau: In Conversation with Supervisory Special Agent Elvis Chan:

Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews