CyberheistNews Vol 8 #18 Scam of the Week: World's No. 1 Criminal Phishing Botnet Turns Even More Tricky

CyberheistNews Vol 8 #18
Scam of the Week: World's No. 1 Criminal Phishing Botnet Turns Even More Tricky

The notorious Necurs botnet is one of the oldest and largest spam and phishing delivery systems in existence. It controls millions of machines that the criminal botmasters use to send malicious payloads. Necurs has now adopted a retro trick to make itself more evasive and less likely to have its phishing intercepted by your filters.

It's begun emailing archive files that unzip to a file with a .URL extension. This commonplace Windows shortcut opens a page directly in a browser. The advantage of this approach is that it's typically overlooked by email filters which are hunting for more complicated infection chains. The final destination of this link is a remote script file that downloads and automatically executes a malicious payload.

This common Windows shortcut is the social engineering tactic which tricks your users into thinking the email file attachment they just unzipped has created a folder that they need to enter and view the actual file.

Unfortunately, this is what crooks want because trying to access this faux folder will launch the infection chain. This time, they are exploiting the power of simplicity.

Your email filters usually apply preset rules, and this particular vector is probably not among them, so update your filter settings. Interestingly, Necurs does not infect computers using Russian as a language.

I suggest you send this email to your employees, friends and family. You're welcome to copy/paste/edit:
There is a new email scam you need to watch out for. Bad guys are sending emails that have an archive file as an attachment. They often look like a voice mail message you have missed. Assume these attachments files are guilty until proven innocent!

Do not click on the zip file to listen to the message. Delete the file or click on the Phish Alert Button which forwards it to IT and deletes it from your inbox.
Example screen shot of this attack at the KnowBe4 blog:
Mysterious “Double Kill” Word/IE Zero-Day Allegedly in the Wild as Phishing Attack

“Double kill” is a bragging term from the world of first-person video gaming – it means you finished off two assailants with a single shot.

In the world of cybercrime, it’s the name given by Chinese computer security company Qihoo to what it claims is an Internet Explorer zero-day hole that’s being actively exploited in the wild.

Unfortunately, in this case, Qihoo isn’t giving much away: we’ve seen only very sketchy details of how the “double kill” exploit works, or what you could look out for if an attacker tried to use the exploit against you.

All we know so far is that a “double kill” attack starts with a Word document, sent as a phishing email attachment.

If you open the booby-trapped document, which is denoted by Qihoo as containing some unspecified sort of shellcode, Internet Explorer is apparently activated in the background, ultimately leading to an executable program being downloaded and executed without any visible warning.

According to Qihoo, this is:
"The first Office Document based exploit that uses a browser zero-day vulnerability to carry out the attack. Opening a malicious Office document may cause infection with a Trojan horse that can take full control of the victim’s computer […] Hackers carried out the APT attack by delivering Office documents containing malicious webpages. When affected users opened the documents, malicious scripts and payloads using the vulnerability were downloaded from a remote host and executed."
What we don’t yet know is:
  • Which document file formats (e.g. RTF, DOC, DOCX, XLS, XLSX, PPT, PPTX) can be used to trigger this vulnerability.
  • Whether the booby-trapped Office files contain macros or other active scripting that could be detected and blocked generically to reduce the risk of attack, at least until specific details are available.
  • Whether Office is required to make the exploit work, or whether other applications might be able to trigger it too, such as PDF readers or video players.
  • How Internet Explorer comes into the attack.
It seems like an excellent idea to test your users and check if they would fall for a phishing attack like this. Links to technical background posts at KnowBe4 blog:
New Exploit: PDF Files Can Be Abused to Steal Windows Credentials

PDF files can be weaponized by malicious actors to steal Windows credentials (NTLM hashes) without any user interaction and only by opening a file, according to Assaf Baharav, a security researcher with cyber-security company CheckPoint.

This means a curious end user who opens a PDF attachment they did not ask for can be pnwed in about 15 seconds. Good thing this nasty is not in the wild just yet...

Baharav published research this week showing how a malicious actor could take advantage of features natively found in the PDF standard to steal NTLM hashes, the format in which Windows stores user credentials.

"The PDF specification allows loading remote content for the GoToE & GoToR entries," Baharav told Bleeping Computer. More detail and links at the KnowBe4 blog:
Don’t Miss the May Live Demo: Simulated Phishing and Awareness Training

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us Tomorrow, May 2, 2018, at 2:00 PM (ET) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
  • [NEW] Improved Vishing (voice phishing) feature supports domestic and international dialing with 10 commonly used vishing templates.
  • Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting.
  • Customized Automated Security Awareness Program (ASAP) creates a fully mature training program in just a few minutes!
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 17,000+ organizations have mobilized their end-users as their last line of defense.

Date/Time: Tomorrow, May 2, 2018, 2:00 pm ET
Register Now:
Can You Be Spoofed? Find out for a Chance to Win!

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. Plus you'll be entered for a chance to win an awesome drone!

Find out now if your email server is configured correctly, many are not!

Try to Spoof Me!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Permanence, perseverance and persistence in spite of all obstacles, discouragements, and impossibilities: It is this, that in all things distinguishes the strong soul from the weak."
- Thomas Carlyle - Philosopher (1795 - 1881)

"Success is all about persistence and doing the right thing for the long term." - Bruce Rauner

Thanks for reading CyberheistNews
Security News
GrandCrab's Big Ransomware Campaign

Spam campaigns carrying GrandCrab ransomware have surged over the past week. Tens of thousands of emails carrying three new GrandCrab variants have been entering circulation every day. The new variants are designed to avoid signature-based detection. As always, it will take a bit of time before the signature-based scanners catch up.

The subject line phishbait is familiar: payments, tickets, invoices and orders. The payload is a Javascript attachment that, upon execution, downloads GrandCrab ransomware. The criminals are asking about $400 in cryptocurrency, but there's little point in even considering paying it, since there's no evidence that the crooks are being particularly good about releasing files.

As always, your best defense against ransomware is a combination of weapons-grade backups, religious patching and effective employee security awareness training. ZDNet has the story:
Microsoft Help Desk Scams Rising

Employees in all organizations could do with a reminder about the familiar "tech support" or "help desk" scam. It usually but not always takes the form of a call from someone claiming to be from Microsoft.

Understandably, Microsoft is concerned about the con. Microsoft recently revealed that tech support scams are bigger than ever, reporting 153,000 tech support scams in 2017. This number is up 24 percent from 2016.

Fifteen percent of those contacting Microsoft to complain lost an average $200 to $400 to the scammers. In spite of Microsoft’s efforts with authorities the number grew. The FBI’s Internet Crime Complaint Center (IC3) reported a rise as well.

The number reported by IC3 was smaller than that reported by Microsoft because victims usually do not file reports with law enforcement unless they lose money and Microsoft’s reporting was on a world wide audience.

Tech support scams are no longer limited to just Windows users. Scammers now target Mac and Linux users as well. The con artists pose as representatives of tech support companies and some brazen cyber crooks even pose as the FBI’s IC3 division.

Users continue to fall prey mostly because of the ways criminals constantly adjust their social engineering tactics for greater plausibility. Hence the importance of frequent training and awareness programs.
Here is an Email Thread of an Actual CEO Fraud Attack

Emails from the boss seldom go unnoticed or unanswered. This is why crooks spoof the boss in CEO fraud, a form of business email compromise (BEC), to set the stage for deception or a scam. CEO fraud has made an appearance in in 77% of businesses who responded to a recent survey. CEO fraud differs from typical spam in that it tends to be fluent, targeted, and knowing about the business.

Trustwave researchers have published an interesting BEC email thread. In a longish conversation between fake boss and real employee, the fake boss arranged to transfer $33,000, supplying the employee with all the appropriate bank account information.

Their conversation was noteworthy in that it had an air of importance without communicating the kind of "act-now" urgency that often accompanies scams. That worked: the employee seemed to be convinced she was doing the boss a big favor.

In the end, the transfer went through. We don't know the employee's fate, but we hope it wasn't a harsh one. What we do know is that organizations can add levels of verification and additional steps in executing electronic funds transfer. They can also put policies in place that will inform employees that the boss will never, ever, email a request to transfer funds.

But possibly the most important step you can take is education. Interactive, realistic training can help place employees on the lookout for CEO fraud. Help them to understand what they should do if they suspect a scam. Trustwave published the whole email thread, very interesting:
Why BEC Scammers Specialize Part II. Is Your Industry Next?

This is a follow-up to last week's post. It's worth considering if your organization's operations make it a target for business email compromise (BEC) scammers. We saw last week that Nigerian gangs who have been known to target large companies now have the global maritime shipping industry in their sights.

The "Gold Galleon" group compromises email accounts and attempts to have unsuspecting targets deposit considerable cash in bank accounts set up by the gang. The BEC scammers have chosen the maritime industry because companies in that industry are spread across the globe, operate in different time zones, and depend on email to conduct their daily business. Often the only contact companies have with their far-flung units is email.

The operators of Gold Galleon purchase domains and set up email accounts that closely mimic the domains and email accounts used by their target companies. They also use spear phishing to gather passwords from unsuspecting company employees.

From there the scam follows familiar paths. The scammers use stolen credentials to gain access to essential business contact information and details regarding the company’s business dealings. Those details are then used to lend plausibility to the scam. Gold Galleon is thought to be based in Nigeria, but BEC knows no geographical limits.

Using two-factor email authentication and being aware of sudden changes to standard business practices are good first steps in helping defend yourself against BEC, but every organization should take note of ways in which its routine operations can be used to commit this form of social engineering.

Consider: are you a not-for-profit with operations in different parts of the world? Are you a university with international study programs? A government agency with offices in many time zones? You should deploy awareness training for high-risk users as an additional layer to the technical and policy safeguards you've put in place. Search Security has the story:
Credential Stuffing Attacks

A 0.1 to 3% success rate doesn’t sound like much, but with a sample numbering in the tens of millions, that adds up very quickly. People unfortunately continue to reuse their passwords. That fact, along with the availability of the millions of credentials on the dark web enables sophisticated cyber criminals using machine learning and some AI tools to achieve a solid, if criminal, return-on-investment.

The prize isn’t always cash. Our passwords protect other assets that can be monetized. These include frequent flyer miles, gift cards, loyalty points from hotels and other businesses, and even in-game currencies and loot boxes.

These assets can be stolen and turned into cash by hackers. Competitive intelligence is also a prize, and it's too easy for organizations to overlook this particular risk. Information-gathering operations use scraping to gather pricing or product information.

Educate your employees to be cautious about both password reuse and the kind of information they expose to the interwebs. BankInfo Security has the story:
NEW: KnowBe4 Just Released a Massive Improvement of Vishing Security Tests

We have just released a major upgrade of our Vishing (voice phishing) functionality.

You now have the ability to use text to speech, upload your own custom audio, and create your own vishing templates.

Vishing now supports both domestic and international numbers, and the interface has improved dramatically. It's now very similar to the email phishing templates section in the console.

You can set vishing campaigns to wait for prompts and wait for users to do something, and then that is the point of failure.
  • Make your own custom failure message.
  • Point of failure training messages.
  • Numbers are geolocated, just like the bad guys are doing it.
At launch, there are 10 built-in vishing templates. Templates are available in 22 different languages.

Supports random, full random vishing, specify time period that you want calls to go out. Pick a category of vishing templates and randomly vish users.

Specify if you want it to be primarily dial mobile or desk phone. If mobile and desk phone numbers are part of Active Directory then you can use those.

Will work in Smart Groups (criteria based same as phishing)

Cost to Customer: If you are licensed for vishing, you can vish your users up to 12 times per calendar year without additional costs.

Vishing is included in Gold, Platinum, and Diamond subscription levels Link to Documentation:
What Our Customers Say About Us

"Yes, I am quite impressed, not only with the tools but with the service as well. We have already seen a significant change in the overall security culture as a direct result of implementing KnowBe4.

Last week our KnowBe4 account rep contacted me and brought my attention to a couple of small errors I had made when setting up a phish. I consider that going the extra mile. I will be recommending KnowBe4 for all future clients.

Thank you. - F.P., MIS Director

Hi Stu,

We are a very happy campers. Training is good, reporting is awesome and Phishing tests are spot on. Your employees are great at staying in touch to make sure we know there is someone at KnowBe4 ready to answer questions. All in all, we are very happy with the implementation and integration of your system. You have the most effective Information Security testing and training program I have seen to date.

Thanks, M.J. VP Information Systems
Interesting News Items This Week
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews