CyberheistNews Vol 8 #24 Scam of the Week: Phishing Celebrity Deaths Kate Spade and Anthony Bourdain




CyberheistNews Vol 8 #24
Scam of the Week: Phishing Celebrity Deaths Kate Spade and Anthony Bourdain

Two celebrities committed suicide this week, and unfortunately that's going to be exploited again by lowlife internet criminals in a variety of ways.

I suggest you warn your users right away that a series of scams are underway using these deaths as social engineering tactics. Earlier celebrity death scams show there will be a high click rate on phishing emails and other social media that claim to show "their last words/moments on video".

Whatever ruse is being used, your users will wind up with either infected workstations at the house or in the office, giving out personal information or unleashing ransomware on the network. Give them a heads-up that especially now, they really need to "Think Before They Click."

I would send your employees, friends and family something like the following. You're welcome to copy/paste/edit.
"This week, news broke about two celebrity suicides: Kate Spade and Anthony Bourdain. Internet criminals / scum are going to exploit these deaths in a number of ways, so be careful with anything related to this sad news: emails, attachments, any social media (especially Facebook), texts on your phone, anything. There will be a number of scams related to this, so Think Before You Click!"
For KnowBe4 Customers, there are new templates that I suggest you send to your users more or less immediately and inoculate them against these attacks.

We now have two templates for each incident. Because they can deal with controversial topics, we will place them in either Current Events or the Controversial/NSFW category. Here are the titles:
  • Fox News: Kate Spade Found Dead, Suicide Note Released
  • MSNBC: Kate Spade Suicide: Suspicion of Foul Play, Husband Arrested
  • CNN: Anthony Bourdain's Last Moments
  • CNBC: BREAKING NEWS: Insider Reports of Anthony Bourdain's Recent Relapse and Relationship Troubles
It is a sad state of affairs that exploiting celebrity deaths has become the new normal. We need to stay vigilant and make sure not to get jaded.

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Yesterday We Received a CEO Fraud Phishing Attack From Our Own Personal Accountants

This is an up-close and personal account of how my wife Rebecca and I (we hope) dodged a cybercrime bullet.

You probably do not know that I am an elected official of the City of Clearwater, I serve on the Downtown Development Board. Part of that is a yearly disclosure about your personal finances and real estate ownership.

As a board member you are asked to fill out a so called "Form 1" which goes into quite a bit of detail about your bank accounts, liquidity and real estate, and if you are renting out any of it. I normally ask my personal Accountants to fill out this Form 1 and send it back.

So, imagine my wife's surprise and concern when she received an email coming "from my iPad" while I was traveling, asking her to click on a PDF related to that Form 1, using a subject from a very recent email thread, but with a spoofed email address from Russia! Turns out our CPA had been compromised.

Here is the whole blog post with a blow-by-blow and the screenshots:
https://blog.knowbe4.com/yesterday-we-received-a-ceo-fraud-phishing-attack-from-our-own-personal-accountants
[Live Webinar] How Criminals Are Using Artificial Intelligence to Social Engineer Your Users

A new survey by Webroot shows that 86% of security professionals worry that artificial intelligence (AI) and machine learning (ML) technology could be used against them. That worry is well founded.

If we look at history, we are quickly reminded that all progress comes with unintended consequences. And, while there is a lot of societal good that can come from AI and ML, we also need to understand and prepare for the misuse and abuse of such technologies.

Join Stu Sjouwerman, KnowBe4’s founder and CEO, and Perry Carpenter, Chief Evangelist and Strategy Officer, for "Fear the Machine: How Criminals are Using Artificial Intelligence to Social Engineer Your Users."

We will take a fascinating dive into the shadowy world of how AI and ML are being weaponized today and what the next wave(s) of weaponization will likely look like.

This webinar will cover:
  • Cyber crimes using Artificial Intelligence and Machine Learning
  • The next wave of weaponization
  • How to protect your organization with a Human Firewall
Date/Time: Wednesday, June 20th at 2:00 PM ET. Register Now!
https://attendee.gotowebinar.com/register/8574066831149250561?source=CHN
What's Getting Through Your Mail Filters? Find out for a Chance to Win.

Spoofed domains, malicious attachments and executables to name a few... With email still the #1 attack vector, do you know if hackers can get through your mail filters?

KnowBe4 can help you find out if this is the case with our free Mailserver Security Assessment (MSA) test. Plus, you'll be entered for a chance to win an awesome 34-Inch Curved UltraWide LG Monitor.

KnowBe4’s MSA tests your mailserver configuration by sending 40+ different types of email message tests that check the effectiveness of your mail filtering rules.

Here's how it works:
  • 100% non-malicious packages sent
  • Select from 40+ automated email message types to test against
  • Saves you time! No more manual testing of individual email messages with MSA's automated send, test, and result status
  • Validate that your current filtering rules work as expected
Results in an hour or less. Find out now if your mail server is configured correctly, many are not!
https://info.knowbe4.com/msa-sweepstake-june2018
Live Demo: See How You Can Get Audits Done in Half the Time at Half the Cost

Join us on Wednesday, June 13, 2018, at 1:00 PM (ET) for a 30-minute live product demonstration of KnowBe4's Compliance Manager to see how you can simplify the complexity of getting compliant and ease your burden of staying compliant year-round.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Ability to build your own templates using our simple custom template feature.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Finally, an affordable and easy-to-use compliance management tool... See how you can get audits done in half the time at half the cost. Register Now!
https://attendee.gotowebinar.com/register/395869656937429505?source=CHN
Quotes of the Week
"People should pursue what they’re passionate about. That will make them happier than pretty much anything else." - Elon Musk

"Everybody deserves somebody who makes them look forward to tomorrow." - Unknown



Thanks for reading CyberheistNews
Security News
An Update on World Cup Phishing

We've mentioned the current phishing for World Cup fans. Since the Cup will be with us for some time, it's worth following the twists in that particular phishline.

None will be surprising to connoisseurs of social engineering, but they're worth sharing. Any email that starts with "Good Day……Happy News!" is of course best immediately deleted.

That enthusiastic phrase is the lead-in to a notice that you, you lucky email account holder you, have won a cool 1,350,000 sterling in "Russia 2018 FIFA world cup-Google online lottery promotion." More precisely, "your email" has won. :-D

Trust us, neither you nor your email has won anything. Toss this happy news directly to the trashcan. Sometimes the scammers will send you your winner's notification as an attached Word or PDF file without further explanation. Remind your people of what to do, or better, what not to do: don't open it.

Another spam email purporting to be from one "Mrs. Holly King" shares "Congratulations!! Congratulations!!" before asking, soberly, "Are you the correct owner of this email?" If you are, "be glad this day" because you've won the Russia World Cup online lotto.

The winsome Mrs. King festoons her notification with a Russia FIFI World Cup logo in all its red-white-and-blue glory. All you need do to collect is "kindly provide" your full name, email address, physical address, age and occupation, and a few other minor items like your bank account and routing number.

Unless your age is "born yesterday" and your occupation is "sucker," you will give this one the "happy news" treatment. We Live Security blog has the story:
https://www.welivesecurity.com/2018/06/06/fake-fifa-world-cup-themed-lotteries-giveaways/
Tax Season Spam Lingers On

Tax issues often persist beyond the filing deadline: refunds, notices of arrears, etc. So does tax-themed spam. Trend Micro has found one campaign in mid-May that takes advantage of victims' perceptions that tax systems are complex and difficult to understand.

The subject lines suggest that the recipient committed some oversight. In this case the spam carries a malicious URL that will lead the victim to download a zip file whose payload is the URSNIF banking Trojan.

As is the case with most other spam campaigns, users can be taught to recognize the red flags and fend off the attempt on their systems.

New-school interactive security awareness training can help any organization arm its employees against this kind of fraud. TrendLabs Security Intelligence Blog has the story:
https://blog.trendmicro.com/trendlabs-security-intelligence/post-tax-season-spam-campaign-delivers-ursnif-to-north-american-taxpayers/
When It Comes to Romance Scams, There's Nothing Like a Uniform

Romance scams are widespread and unusually sad forms of fraud. They're also not a purely personal matter, but rather a threat to an organization's security as well as an individual's emotional and financial well-being.

A retired US Army officer found himself enmeshed in a tangle of romance scams in an unusual way: his pictures, details of his career and personal life, often even his name, had been used by scammers as the raw material for social engineering against lonely women.

He received an unexpected message in his LinkedIn in-box from a woman in Canada who asked why he hadn't visited her as planned. He'd never heard of her, had no plans to visit Canada, and thought it was a mistake.

But upon investigation he found that someone had pulled pictures of himself (and sometimes pictures of his son with him) from the Internet, created a completely bogus backstory, and set up a variety of social media accounts on Facebook, dating sites, and elsewhere.

The unfortunate Canadian woman who contacted him had met his impostor on a dating site, believed the hard-luck fiction in the profile—he'd been recently widowed, his son was critically ill, he was in tough financial straits, none of which was true—and sent the impostor several thousand dollars.

In the end, the officer Denny found roughly 4000 accounts that used some version of his identity. Military fiction is, for complex reasons, an unusually compelling kind of romance scam, and many of the operators are gangs based in Nigeria and Ghana.

They're well-practiced in compelling conversation, and their stories are far more plausible than the old-style widow-of-a-prince advance fee scams. This is one form of unusually repellent social engineering an organization can help harden its people against. Consider the military romance scam as a topic of training.

Human resources departments provide all sorts of help for troubled employees. Training in this area can help many people from becoming troubled in the first place. Task and Purpose has the story:
https://taskandpurpose.com/military-romance-scams-bryan-denny/
Arrests Roll up Business Email Compromise Ring

Europol announced the arrest of the suspected leaders of a crime gang that ran at least two-dozen business email compromise scams. The four principal suspects were arrested in cooperative raids conducted by the French National Gendarmerie and Israel's Lahav 433 Unit.

Police in Belgium and Romania also contributed to the investigation. The victims were Belgian and French companies that lost more than 18 million Euros to the frauds. An earlier round of arrests had rolled up lower-ranking members of the gang, money mules and the like.

Business email compromise, sometimes also called "CEO fraud," involves social engineering in which the criminals impersonate a company executive in order to direct the transfer of funds to a fraudulent account. The arrests are noteworthy because they indicate both the international extent of the problem and the very high losses a company can sustain.

Europol noted that because leaders of such gangs often operate outside the jurisdictions where their victims do business. The four gang leaders in this case worked from Israel and their victims were in France and Belgium.

Investigation, arrest, and asset recovery all require international cooperation. Business email compromise can be a company-killer. The amounts involved can be very large, and recovery is often effectively impossible.

Sound policies governing wire transfer, effective training in those policies, and realistic training to recognize social engineering can all help protect an organization against this very dangerous scam. Help Net Security has the story:
https://www.helpnetsecurity.com/2018/06/04/ceo-fraud-arrests/
Maybe It’s Time for Serious Social Engineering

At SC Media’s RiskSec NY 2018 conference, the New York State Cyber Command demonstrated the consequences of a bad habit: downloading untrustworthy apps on your phone.

The demonstration consisted of a phone being infected to show what happens when a shady app is loaded and its permission requests accepted. The simulated attackers were able to take photos and videos, access and export photos and files, alter data, send texts, make calls and determine the user's geolocation.

The attackers also showed how it was possible to compromise the devices data integrity by secretly modifying accessed documents and contact lists.

This shows that data that can’t be trusted may be worse than data that are simply lost. At least two important lessons emerged from the demonstration.

First, SMS messaging capabilities can be particularly attractive to attackers, since SMS is frequently used in multifactor or two-step authentication. If it's compromised, hackers may have access to passwords. Second, awareness of the social engineering threat is key to increasing an organization's resilience.

Employees need to recognize inconsistencies and red flags. Special attention should be paid by the financial sector, where bad actors posing as CFOs can send fraudulent messages requesting transfer of funds to unauthorized accounts.

When this happens, it takes a bit of courage on the employee's part to delay responding to what looks like a request from the boss. But it's better to put off action until the message can be authenticated. Executives need to accept and welcome employees' questions about confirming cash or asset transfers.

So awareness, training, and non-punitive policies are important to developing organizational resistance to social engineering of mobile devices and accounts.

Realistic, interactive, awareness training can help employees become an organizational strength instead of a weak link. SC Media has the story:
https://www.scmagazine.com/mobile-users-ignore-shady-app-permissions-at-their-own-risk-warns-ny-state-cyber-command/article/770064/
Hacking Humans: A New CyberWire Podcast

Cyberwire wrote: "Each week the CyberWire’s Hacking Humans podcast looks behind the social engineering scams, phishing schemes, and criminal exploits that make headlines and take a heavy toll on organizations around the world.

We talk to social engineering experts, security pros, cognitive scientists, and those practiced in the arts of deception (perhaps even a magician or two). We also hear from people targeted by social engineering attacks and learn from their experiences.

Step right up and trust us: check out the first two episodes and subscribe today. And thanks to KnowBe4, our sponsors for Season 1."
https://thecyberwire.com/podcasts/hacking-humans.html
What KnowBe4 Customers Say

"Love your product – thanks. I’m really looking forward to getting the training program up and running and bringing down the number of people who are clicking.

We do a lot of education in annual training and monthly email reminders, but we still were 25% on the phishing baseline test. The back-end site for your product is very well thought out. I find it easy to use and intuitive." - L.D., Dir of IT

Here is an updated one-page PDF of the Training Content by Subscription Level. KnowBe4 has by now grown into the "Netflix" of security awareness training:
https://www.knowbe4.com/hubfs/Training-Content-By-Subscription-Level.pdf

Check out all this content for yourself. No need to talk to anyone:
https://www.knowbe4.com/training-preview
The 10 Interesting News Items This Week
    • China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare. OUCH:
      https://wapo.st/2kUta4u
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews