CyberheistNews Vol 8 #21 Scam of the Week: GDPR Phishing Attack With Apple Flavor / Royal Wedding




CyberheistNews Vol 8 #21
Scam of the Week: GDPR Phishing Attack With Apple Flavor / Royal Wedding

Social engineering follows seasonal patterns. It's also connected to major events. We see this every year with holiday-themed phishing attacks between Thanksgiving and New Year's Day.

We're seeing it now with this week's implementation of GDPR, the European Union's General Data Protection Regulation, and the Royal Wedding. GDPR takes effect on May 25th. In this case the phishbait is the claim that Apple is proactively preparing to better protect your data.

This sophisticated phishing scam targets Apple users, threatening them with account suspension. If your user falls for this social engineering tactic and is manipulated into preventing a negative consequence, they're redirected to an "account rescue site" which of course is established to extract credentials and other personal financial information.

The phishing website is a legitimate-looking but bogus Apple site. It presents itself as a place where the users can rescue their account from being "restricted."

In addition to looking legitimate, this website is more sophisticated than most phishing sites because the bad guys correctly set the web directory permissions, and encrypted the spoofed site using Advanced Encryption Standard (AES), allowing it to bypass some anti-phishing tools embedded in antivirus solutions.

One of the things the victims are asked to do is "update payment details." Once they've entered the requested information, the scammers say, the victims will see their accounts "returned to normal." Upon completion the victims are asked to click a button labeled "unlock." Doing so sends the information they've just entered directly to the scammers.

The site looks legitimate, but as usual there are red flags: First, the phishing emails were not all that highly targeted. Some of the recipients haven't even been Apple users. Second, the URL is off. For all of its convincing appearance, it's not an Apple site at all.

Companies worldwide are indeed working on becoming GDPR compliant (part of that, train your users) and try to make sure that the people whose data they've collected have in fact consented to give them their information.

Criminals are aware of this, and are following suit. You should remind your users that GDPR is indeed taking effect this week, but that they should be wary of this flavor of social engineering.

The Royal Wedding Is a Social Engineer's Dream

And obviously, this weekend's royal wedding is a social engineer's dream. Wedding fever has taken over the net and a variety of scams and attempts to steal personal information are out there.

For example, there are quizzes out there asking for your Royal Wedding Guest Name and then want your mother or father's middle name, pet names, street they live on and the like.

I suggest you send this email to your employees, friends and family. You're welcome to copy/paste/edit:
Be on the lookout for a new Apple-flavored email phishing Scam of the Week. New European data privacy regulation is going into effect this week. It's called General Data Protection Regulation (GDPR) and bad guys are using it as bait in a variety of ways. This scam looks like it is from Apple and claims that if you do not take action, your account will be "restricted". But in reality they steal your identity and credit card information.

And then there is the royal wedding. It's a scammer's dream so be very careful. Only go to trusted websites to get information and news about it.

Do not click on links in emails, or social media links related to the royal wedding or open suspicious attachments that claim any kind of problem with "GDPR". Delete the email or click on the Phish Alert Button to forward it to IT and delete if from your inbox.
Let's stay safe out there.
Gradebook Phishing Results in Felony Charges

Police in Concord, California, have arrested a teenager who successfully phished high school teachers to harvest their grade-recording credentials.

He linked to a convincingly spoofed portal and induced at least one teacher to go there and surrender credentials. The teenager's name is being withheld because he's a minor, but he's said to be a sixteen-year-old sophomore at Ygnacio Valley High School.

According to local Fox News affiliate KTVU, he was arrested May 9th and charged with fourteen felony counts. He has, however, given an interview to another local station, ABC affiliate KGO, during which he said that it was "like stealing candy from a baby."

He also suggested he might have gone phishing in order to raise security awareness at the school. He altered grades for between ten and fifteen students, but apparently was caught before he changed his own. Some students' grades he raised; others he lowered.

School officials realized their grading system had been compromised when a member of the IT staff noticed the email in a spam folder and recognized it as phishing. The IT staffer was properly alert for phishing.

The teachers who gave up their credentials could have done with some awareness training. Ars Technica has the story:
https://arstechnica.com/tech-policy/2018/05/like-stealing-candy-from-a-baby-arrested-teen-says-of-his-phishing-efforts/
FBI: Business Email Compromise Tops $676 Million in Losses

From the "Lies, Damn Lies, and Statistics" Department. The FBI reports that ransomware attacks are downtrending. However Verizon's Data Breach Investigations Report indicates an increase in ransomware infections.

Who are you going to believe? In this case I'm leaning toward Verizon, because ransomware attacks especially are significantly under-reported to Law Enforcement.

A New Reporting Acronym: BEC/EAC

BEC stands for Business Email Compromise and is also known as CEO fraud. However, EAC is short for Email Account Compromise, a close relative of BEC. The primary difference with EAC, is criminals target individuals rather than businesses to initiate fraudulent wire transfers.

The continued prominence of BEC/EAC has led the IC3 to begin tracking the scams as a single crime type for the year 2017 and forward:

In 2017, business email compromise and email account compromise represented the highest reported losses at more than $676 million, with 15,690 victims; BEC/EAC ranked 10th in terms of the crimes reported.

In 2016, the FBI received 12,005 BEC and EAC complaints representing losses of more than $360 million.

Confidence and romance fraud, $211 million; and nonpayment or nondelivery of goods and services, $141 million; rounded out the top three in terms of losses. More at:
https://searchsecurity.techtarget.com/news/252441070/FBI-Business-email-compromise-tops-676-million-in-losses
Can You Be Spoofed? Find Out for a Chance to Win!

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. Plus you'll be entered for a chance to win an awesome drone!

Find out now if your email server is configured correctly, many are not!

Try to Spoof Me!
https://info.knowbe4.com/dst-sweepstake-may2018-chn
Here Is a Way to Get Audits Done in Half the Time and Half the Cost

Join us on Thursday, May 24th, 2018, at 2:00 PM (ET) for a 30-minute live product demonstration of KnowBe4's Compliance Manager to see how you can simplify the complexity of getting compliant and ease your burden of staying compliant year-round.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Ability to build your own templates using our simple custom template feature.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Finally, an affordable and simple compliance management tool!

See how you can get audits done in half the time at half the cost.
Register Now: https://attendee.gotowebinar.com/register/1069077536282702339?source=CHN

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"To find yourself, think for yourself." - Socrates - Philosopher

"Every pundit who exhorts you to "think for yourself" really wants you to think like them." - Marty Rubin



Thanks for reading CyberheistNews
Security News
Live Webinar: Fortifying Your Organization’s Last Layer of Security

Cyber security threats continue to proliferate and become more costly to businesses that suffer a data breach. When it comes to combating these growing risks, most organizations continue to place more trust in technology-based solutions than on training their employees to be more aware of the threat landscape and able to recognize the red flags in cyber breach attempts.

Join Erich Kron, Security Awareness Advocate at KnowBe4, as he explains the emerging threats, the strengths and weaknesses that users bring to an organization's security culture, and strategies to fortify your organizations last layer of security, your users.

In this webinar you will learn:
  • Current and emerging attack landscape and how organizations are coping
  • Right and wrong approaches to changing employee behavior
  • How to build a successful Security Awareness Training Program
Date/Time: Wednesday, May 23, 2018, 1:00 pm ET

Register Now: https://attendee.gotowebinar.com/register/5406078062434661890?source=CHN
Ethereum Phishing, With Automation on the Side

Ethereum wallets are proving attractive to criminal phishers. Their relatively thin security, especially when compared to banks, has drawn the attention of Russian organized crime gangs.

One of those gangs is using a phishing kit that researchers at RiskIQ are calling MEWkit. MEWkit starts with a conventional scam. A phishing email directs the unwary to a landing page that presents a convincing-looking front-end of MyEtherWallet.

The page harvests credentials the victims are invited to enter. The automation kicks in once the credentials are harvested. MEWkit immediately drains the contents of the victims' wallet into the criminals' account.

RiskIQ summarizes the kit's operation as follows:"MEWKit combines the tactics of both traditional phishing attacks and the functionality of an [automated transfer service] for a tailor-made way to clear the relatively low barriers of MyEtherWallet."

The specific gang behind MEWkit is still unknown. But the IP addresses in use and certain linguistic quirks in the scam suggest that it's a Russian, or at least a Russian-speaking, group.

As usual, crime follows in the train of innovation. Cryptocurrencies are still new enough to exhibit a dangerous combination of immature security and the sort of early-adopter enthusiasm that lulls victims into a more gullible state.

User awareness training concerning the prevalence of credential harvesting on spoofed webpages is important. And the automation in MEWkit is disturbing: once you enter your credentials, your coin is gone baby gone. ZDNet has the story:
https://www.zdnet.com/article/this-cryptocurrency-phishing-attack-uses-new-trick-to-drains-wallets/
Phishing in Office 365

Microsoft's Office 365 is widely used by businesses and other organizations.

It's also attracted widespread criminal attention. Users are receiving spoofed emails telling them that there's some problem with their Office 365 access. They're told they need to reset their password, or simply "click on this link" to keep your account active.

The emails have the kind of dull, routine bureaucratic tone one might expect from a large organization. They're also tricked out with some of the look and feel of a real vendor. But they're as easy to recognize as a phone call from some crooked boiler room telling you that the scammer is from Microsoft and they're here to fix a problem they've detected in your computer.

Microsoft isn't going to send Office 365 users emails telling them to click links to maintain their access.

Some of your employees may be new to Office 365. Familiarize them with this scam, and teach them to spit this particular phishbait. Help Net Security has the story:
https://www.helpnetsecurity.com/2018/05/18/office-365-phishing-threats/
Green Padlocked Phishbait

The Anti-Phishing Working Group (APWG) in its report for the fourth quarter of 2017, says that criminals are making much more use of HTTPS. More than thirty percent of phishing attacks were protected by than HTTPS content encryption protocol.

This represents a dramatic rise in the use of HTTPS. Less than five percent of phishing attacks in the fourth quarter of 2016 used HTTPS.

Two trends appear to account for the increase. First, more sites generally are using HTTPS, so a corresponding rise in phishing sites could be expected. But second, and more significantly, HTTPS and the green padlock symbol commonly associated with it are widely misunderstood.

More than eighty percent of users surveyed thought that the green padlock and the word "Secure" displayed alongside an HTTPS URL meant that the site is legitimate or safe. That's not true. Maliciously registered domains can perfectly easily feature HTTPS. A useful bit of user awareness training would remind employees that the green padlock is no guarantee of safety. BusinessWire is carrying the story:
https://www.businesswire.com/news/home/20180515006785/en/APWG-Report-Cloud-Storage-SaaS-Increasingly-Targeted
Lessons Learned From a Newspaper Watering Hole Attack.

An interesting case of a watering hole used to target human rights activists in Southeast Asia has come to light this month. Back in November of 2017 FireEye researchers noticed that some sort of compromise of the website belonging to the Phnom Penh Post was under preparation.

Early in May of this year the human rights group Licadho, which operates from Cambodia, noticed that its workers were being redirected from the Phnom Penh Post site they'd visited to a bogus Google page that claimed to be concerned with privacy.

That page in turn redirected them to a site called "GTransfer" that sought the kinds of permissions users too often give to apps they download: "read, send, delete and manage your email" and "view your contacts."

FireEye thinks the compromise is the work of APT32, a Vietnamese state actor with an interest in various forms of espionage, but especially in collecting against dissident and human rights groups.

The particular redirect code in this case seems to have been added to the compromised website on or around May 8th. The Phnom Penh Post has recently changed ownership. Its Australian owner sold the paper to the Malaysian owner of Asia PR at the beginning of May.

Major corporate shuffles can signal not only a change of direction, but can also afford the kind of misdirection useful to cover social engineering.

Lessons the episode holds for any organization's training are:
  • First, be aware of who might (now) want to compromise you.
  • Second, understand their probable approach so you can recognize phishing or watering holes, and third,
  • Don't blindly agree to give apps whatever permissions they ask for.
The Australian Broadcasting Corporation has the story:
http://www.abc.net.au/news/2018-05-15/hackers-trigger-software-trap-after-phnom-penh-post-sale/9763906
Trickbot and Her Majesty's Revenue and Customs

Trickbot continues to distribute malspam. Some of its recent emails have posed as communications from the UK's tax authority. The attack chain begins with receipt of an email carrying the attachment of a rich text file (RTF) disguised as a Word document.

If the recipient opens the attachment, that triggers a Microsoft Equation Editor bug (CVE-2017-11882). With that, a vulnerable Windows system is infected with Trickbot malware. It's worth noting that this affects only unpatched systems.

Microsoft closed this particular vulnerability last November. But there are enough unpatched systems out there to make it worth the criminals' while to attempt exploitation.

The moral of the story is that Windows users should keep their systems up-do-date. And, of course, remind your people to always be wary about opening email attachments. The SANS Institute's Internet Storm Center has the story:
https://isc.sans.edu/forums/diary/Malspam+pushing+Trickbot+malware+on+Friday+20180511/23653/
What KnowBe4 Customers Say

"Things have been going well for us with the KnowBe4 platform. The user response to the quality of the training materials has been phenomenal. Everyone loves the training content in contrast to the SANS content we had before.

We just launched our first phishing campaign this morning, so we’ll see how that goes. I am very intrigued to see the results. Thanks for keeping in touch! - M.F. IT Security Analyst



I am pleased with the service, we mainly use the phishing testing as we have another online service we use for S.A.T. We have used it a long time and I have enjoyed seeing your company grow over the years and like the ongoing improvements you have made. - B.D. System Admin



"This was an excellent conference! Thank you for doing this! I learned a great deal and it was great talking to others that have the same challenges and being able to swap ideas and back and forth!" - M.D.



We had a fantastic time at the first KnowBe4 user convention and "Catch me if you can" Frank Abagnale was an inspired speaker! Here is a picture of Frank Abagnale, Kevin Mitnick and yours truly:
https://twitter.com/StuAllard/status/997908393967980544
Interesting News Items This Week
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.



Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews