CyberheistNews Vol 8 #28

CyberheistNews Vol 8 #28
[Heads-Up] New Deceptive Strains of Payroll Phishing: "Because that's where the money is..."

Most readers will probably be familiar with the mythical story of bank robber Willie Sutton who, after being nailed by the cops, was asked why he robbed the bank. His answer (undoubtedly delivered in the most deadpan voice one can imagine): "Because that's where the money is."

Although criminals have gone high tech since the days of that old fashioned, pistol-packing bank robber, their motivations remain essentially unchanged. Over the past month or so we've been reminded of that very basic truth while watching the surge in phishing emails targeting payroll operations at our customers who use the free KnowBe4 Phish Alert Button (PAB).

Why target payroll? Because that's where the money is. These phishes, which are almost all examples of CEO fraud, take several different forms:

New Pay Stub Phishing Strain

A new strain of payroll phishes that has surfaced over the past few months involves phishing emails requesting copies of pay stubs and wage statements. Both are year-round social engineering attacks that expand on the W-2 phishing campaigns which erupt at tax season.

Very familiar with the ways in which this kind of confidential employee data can be exploited for fraud, some malicious actors are now turning to phishing attacks targeting the same kind of data, but now during the whole year.

We ourselves almost missed the rise of pay stub phishes because these emails typically request a single, specific pay stub for one employee (instead of a complete collection of W-2 statements covering an organization's entire employee base), these emails seem designed to "fly under the radar" and not attract undue attention.

These malicious emails are simple, direct, and dispense with any attempt to construct believable back-stories or pretexts for the request. In short, they invite an unthinking, reflexive response from targeted users.

Here is the full post with screen shots and additional payroll scams:
Russian Indictment: They Used Criminal Tradecraft Like Spear Phishing to Hack the Democratic Party

The email arrived in Hillary Clinton’s campaign chairman John Podesta’s inbox around March 19, 2016, during the height of the presidential primaries, spoofed to look like a standard security request from Google to change his password.

The email was actually from Aleksey Lukashev, a senior lieutenant in Russian military intelligence, using the account “john356gh” to mask his purpose, the official indictment shows. The email contained an embedded link that secretly opened Podesta’s account to the Main Intelligence Directorate of the General Staff, known as the GRU hacking team at 20 Komsomolskiy Prospekt, near Moscow’s Red Square.

Two days later, the Russian operatives stole — and later leaked — more than 50,000 of Podesta’s private emails throwing Clinton’s bid for the White House into turmoil.

On Friday, the Justice Department indicted Lukashev and 11 other officers in the GRU for interfering in the 2016 presidential election by hacking and leaking tens of thousands of emails and other material from Clinton’s campaign, the Democratic National Committee, the Democratic Congressional Campaign Committee and others.

Kevin Mitnick and I took some time to read the indictment. The GRU guys have been using tradecraft that's the same as what internet criminals use every day and what white hat pen testers use to test their client's controls. Here is the full blog post with many links including the PDF with the indictment:
Security Firm Sued for Failing to Detect Malware That Caused a Data Breach

Two insurance companies are suing a cyber-security firm to recover insurance fees paid to a customer after the security firm failed to detect malware on the client's network for months, an issue that led to one of the biggest security breaches of the 2000s.

The two insurance firms are Lexington Insurance Company and Beazley Insurance Company, and both insured Heartland Payment Systems, a leading payment processing company.

Lawsuit related to 2009 Heartland mega breach

In January 2009, Heartland announced a major security breach of its network, following which an attacker stole details for over 100 million payment cards stored on its systems by over 650 of Heartland's customers.

Following this devastating hack, Heartland paid over $148 million in settlement fees for various lawsuits, and other remediation costs and expenses Heartland owed its customers.

As part of their insurance agreements, the two firms paid $30 million to Heartland, with the Lexington Insurance Company footing a $20 million bill, and the Beazley Insurance Company paying another $10 million.

Lawsuit claims Trustwave failed to detect intrusion

But now, according to a civil lawsuit filed on June 28, and first reported by the Cook County Record, the two companies are trying to recover those costs, and are claiming that the security firm with which Heartland had a service contract had failed to honor its agreement.

The two insurance firms claim that Chicago-based Trustwave Holdings, Inc. —the security firm— had failed to detect that an intruder used an SQL injection attack to breach Heartland's systems on July 24, 2007. Continued:
[LAST CHANCE] Live Webinar: Why You Should Be Using Deception: Decoys, Honeypots, and Red Herrings

Every company in the world should be utilizing some form of deception as part of their overall computer security defense. Decoys and honeypots can be high-value, low-noise, and identify threats previously thought to be undetectable.

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, and security expert with over 30-years experience, for this webinar where he will explore computer security deception. Roger is one of the world’s most prolific deployers of enterprise honeypots and author of the popular book, Honeypots for Windows (Apress).

Roger will share the two most popular ways organizations are attacked and how to use deception to defend against them. Attend this webinar and quickly come up to speed on deception and how you should be using it to protect your organization.

In this webinar, you will learn:
  • Real life stories of successful and failed deception
  • Deception vendors in the market today
  • How you can use deception to build your “human firewall”
Date/Time: Today, July 17th at 2:00 PM ET. Save My Spot!
Massive Sextortion Phishing Campaign Uses Recipient's Hacked Passwords

Krebs on Security has posted a new item: "Here's a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who's compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom.

The new twist? The email now references a real password previously tied to the recipient's email address.

KrebsOnSecurity heard from three different readers who received a similar email in the past 72 hours. In every case, the recipients said the password referenced in the email’s opening sentence was in fact a password they had previously used at an account online that was tied to their email address.

However, all three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers.

Krebs commented: "I suspect that as this scam gets refined even more, perpetrators will begin using more recent and relevant passwords — and perhaps other personal data that can be found online — to convince people that the hacking threat is real."

We agree. There are billions of hacked passwords out there now that can be used for any number of nefarious phishing scams. Here is a new way to find out of any of your users' breached passwords are out there. Continued:
Don’t Miss Your Live Demo: Compliance Automation Made Easy With KCM

Our recent survey showed an overwhelming response from people asking for a live demonstration of KnowBe4 Compliance Manager (KCM).

Join us on Wednesday, July 18, at 1:00 p.m. (ET) for a 30-minute live product demonstration of KCM to see the latest features and how you can simplify the complexity of getting compliant and ease your burden of staying compliant year-round.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Ability to build your own templates using our simple custom template feature.
  • Enable your users: Assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Finally, an affordable and simple compliance management tool. Save My Spot!
What Would You Like to Ask Kevin Mitnick About Social Engineering?

Here's your chance. In late August we'll do a live webinar with Kevin, and he asked me to find out what questions you have for him regarding social engineering, so we can cover them in this new flavor of webinar which we will do once a quarter.

The survey closes July 31, 2018. Here is the link to SurveyMonkey, this should take less than 1 minute!

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"We are more often frightened than hurt; and we suffer more from imagination than from reality." - Lucius Annaeus Seneca

"Don't let someone else's opinion of you become your reality." - Les Brown

Thanks for reading CyberheistNews
Security News
The Most Common Hack Is Also The Most Successful. Here’s How to Fight It.

Despite what movies might show, most hacks don’t involve frantic typing or brute-force attacks. In fact, Verizon’s “2017 Data Breach Investigations” report revealed that 90 percent of successful hacks aren’t hacks at all: They’re social engineering.

Simply put, social engineering is about manipulating people rather than computers. Modern hackers have discovered that it is easier to ask for data than it is to take it by force. These manipulators continue to trick everyone from secretaries to CEOs into giving up passwords, network access, and everything else they want.

To safeguard against hacking, cloud service providers don’t need stronger firewalls; they need to learn how to protect themselves from human-to-human deception.

Regularly educate employees on evolving phishing tactics. Talk to employees in different roles about how people might approach them to ask for illegitimate access. Remind workers about the importance of internal security, and help them easily report suspicious requests.

These tips will help you safeguard your organization against social engineers. However, if someone still manages to access your data, don’t try to hide it — contact local FBI agents immediately. Your data can’t be “unhacked,” but you might be able to stop the hackers before they do any more damage. Continued at:
Got Hacked Passwords?

A whopping 52% of employees reuse and modify passwords, and often users are using the same password for all logins.(*) What if that password is available on the dark web? A massive amount of passwords are compromised due to data breaches and used by the bad guys for attacks. Are any hacked passwords in use within your organization?

Using breached passwords puts your network at risk. Password policies often do not prevent employees from using known bad passwords. Making your users frequently change their passwords isn’t a good solution either. It only takes one compromised password match for the bad guys to gain access.

KnowBe4’s complimentary NEW Breached Password Test (BPT) checks to see if your users are currently using passwords that are in publicly available breaches associated with your domain. BPT checks against your Active Directory and reports compromised passwords in use right now so that you can take action immediately!

Here’s how Breached Password Test works:
  • Checks to see if your company domains have been part of a data breach that included passwords
  • Checks to see if any of those breached passwords are currently in use in your Active Directory
  • Does not show/report on the actual passwords of accounts
  • Just download the install and run it
Find out now which users are using hacked passwords. Results in a few minutes!

(*) New Virginia Tech study results shows leaked passwords from data breaches can pose a serious threat if users reuse or slightly modify the passwords for other services. Whitepaper here:
The Cost of Social Engineering, Calculated in Cryptocurrencies

Fashion drives trends in social engineering, and nothing has been more fashionable over the past two years than Bitcoin, Ether, and other cryptocurrencies. The scammers use conventional phishing techniques, waterholing with persuasive imitations of know initial coin offering (ICO) pages, typosquatting, and, of course, the venerable advance fee scam.

Many of the criminal operations seek to get email distribution lists of people known to be interested in alt-coin speculation. They use those lists to spearphish victims with the address of a wallet for cryptocurrency deposits that's under the control of the scammers.

It's difficult to estimate the cost with any high degree of precision, but a ballpark figure is good enough, and disturbing enough. Kaspersky Lab thinks scammers took nearly $10 million in various cryptocurrencies through social engineering.

Greed and fear can be powerful, and they operate powerfully on speculators. Help your people recognize that, when it comes to getting rich quick, if it looks too good to be true, it almost surely is. If your organization is involved in trading, mining, or simply using cryptocurrencies, you should consider realistic, interactive training in the ways social engineering is appearing in new forms for the alt-coin world.

Information Security Buzz has the story:
Keep Calm – It’s Probably a Tech Support Scam

A bug affecting Chrome is being used to give users the false impression they're experiencing a serious operating system error that requires immediate and probably expensive support. The scam came to light in February and works by repeatedly saving files to a disc over a five to ten second period.

This constant saving, which is not detected as anomalous by the operator, renders the browser unresponsive. A fake error message displays as the browser freezes. The bogus warning states there's a serious technical problem with the victim's machine, and it offers a phone number that can be called to resolve the problem.

From this point on it's a familiar help desk scam. A phony "Microsoft help desk employee" will offer to help. Of course they will need to collect credit card information before they can proceed with the unneeded services.

The scams are often lent an appearance of legitimacy because they may be conducted in conjunction with malicious ads or hijacked web sites.

Chrome fixed this particular bug with the release of Chrome version 65 in February. Unfortunately the subsequent release of Chrome 67 saw it reappear. Chrome is the principal vehicle for this scam, but Brave, Vivaldi, and Opera browsers can also be affected. Microsoft's Edge and Internet Explorer appear immune. Malwarebytes has indicated that a similar vulnerability has been found in Firefox.

Both Google and Firefox report that they're aware of the issue and are working toward a solution. Firefox noted that a fix was included in their Q3 priorities. Protection against this scam is simple: aware users will spit the hook without a second thought. Organizations should let their employees know that a pop-up or a browser window displaying a tech support message is best disregarded.

Do not call the telephone number listed. The Windows Task Manager and macOS Force Quit will almost always be the fix they need to solve the problem. Shut the browser down and start over. And effective, interactive security training will always help. Ars Technica has the story:
Survey Data With Social Engineering Potential

Social engineering is more plausible if it can take advantage of trusted accounts. If a phishing email or a business email compromise request comes from a genuine but compromised account, it's likely to be more successful.

Personal information can be used by attackers to gain access to credentials and the accounts they control. Internet users are in the habit of taking surveys or quizzes online, often just for the fun of it. And many sites offer quizzes to make themselves stickier, to induce visitors to spend more time on them.

Many of the quizzes they use are provided by Typeform, an app widely used by both businesses and government agencies. At the end of June Typeform discovered that some unauthorized party had downloaded a "partial backup" of its data.

The company disclosed the incident to its customers, but it's a complicated case. The data exposed belonged to Typeform's customers' customers, individuals who for the most part probably had never even heard of Typeform. The compromised information included quiz-takers' first names, dates of birth, mobile numbers, and email addresses, in some cases also Twitter handles, postal codes, ages, and salary ranges.

There are several useful lessons any organization might draw from the incident. First, vendors who handle data on your organization's behalf always expose you to a degree of risk. Second, data collection for marketing or other purposes increases that risk. Third, even seemingly innocuous answers to innocent questions can be used for social engineering.

New-school training in social engineering and phishing awareness can sensitize employees to these risks. And if they're quiz takers, warn them to be alert for scams. Naked Security has the story:
100% of Corporate Networks 'Highly Vulnerable' to Attacks, Here's How to Secure Yours

Snippet from very useful article: "Employees also remain a security weak point for most companies studied: During the testing, 26% of employees clicked a link for a phishing website, and nearly half of those entered their credentials in a fake authentication form. One in six employees opened a fake malicious file in an email attachment, while another 12% communicated with hackers." More:
Bad Guys Use Google's Golang to Cross-Compile Multi-Platform Malware

Here is the bad news:

1) The use of Google's Golang (also called Go) programming language allows attackers to cross-compile malware for use on multiple platforms, making potential attacks on Linux more trivial to engineer.
2) The new WellMess malware strain is able to operate on both Windows and on Linux, giving a remote attacker the ability to execute arbitrary commands as well as upload and download files, or run PowerShell scripts to automate tasks.

Google's Golang—which supports cross compiling to run on multiple operating systems—is now being utilized by attackers to target Windows and Linux workstations.

According a report by JPCERT, the WellMess malware can operate on WinPE (Windows Preinstallation Environment) and on Linux via ELF (Executable and Linkable Format). The malware gives a remote attacker the ability to execute arbitrary commands as well as upload and download files, or run PowerShell scripts to automate tasks.

The commands are transferred to the infected device via RC6 encrypted HTTP POST requests, with the results of executed commands transmitted to the C&C server via cookies.

While WellMess is far from the first malware to run on Linux systems, the perceived security of Linux distributions as not being a significant enough target for malware developers should no longer be considered the prevailing wisdom, as cross-compilation on Golang will ease malware development to an extent for attackers looking to target Linux desktop users. As with Windows and macOS, users of Linux on the desktop should install some type of antivirus software in order to protect against malware such as WellMess.

And of course step users through new-school security awareness training as your last line of defense. More and Links:
FBI: Email Account Compromise Losses Reach $12B

There were more than 78K business email account (BEC) and email account compromise (EAC) scam incidents worldwide between October 2013 and May 2018.

New FBI data shows that business email compromise (BEC) and email account compromise (EAC) scam losses worldwide spiked 136% from December 2016 to May 2018.

There were 78,617 BEC/EAC incidents reported between October 2013 and May 2018, resulting in $12 billion in losses. Of those incidents, 41,058 were in the US, resulting in $2.9 billion in losses. China and Hong Kong banks led the locations for receipt of fraudulent funds, while the UK, Mexico, and Turkey are emerging regions, the FBI report shows.

"The scam may not always be associated with a request for transfer of funds. A variation of the scam involves compromising legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees," the FBI said in its public service announcement reporting the latest statistics. More:$12b-/d/d-id/1332294
What KnowBe4 Customers Say

"Hi Stu, thanks for the personal email, I'm a very happy camper. The service and content is excellent and it's so easy to manage training etc... I just need to sort out my login but nothing I need you to get involved with.

Our CEO was very impressed with the Phishing campaign and the CEO training I enrolled him in. I will definitely be budgeting for this again next year.
Kind Regards, R.J, IT Manager"

"Good morning, I appreciate you following up with me. So far, we have been very satisfied with the service and will continue running the campaigns as well as exploring all the features. Cassie Boyles and another representative who did a virtual walk-through for us have both been very helpful with getting us up and running in the console in no time.

Once again, thank you for the follow-up and have a wonderful day!
Best Regards, A.A. Program Admin"
The 10 Interesting News Items This Week
    1. Researchers find that filters don’t prevent porn:

    2. For just $10, a hacker can attack your business via RDP: Here's how to stay safe:

    3. New Report Finds Global Ransomware Damage Costs Predicted to Exceed $8 Billion in 2018:

    4. The Worst Cybersecurity Breaches of 2018 So Far:

    5. Only 20% of companies believe they're actually GDPR compliant:

    6. Timehop Just Leaked Your Phone Number, Here’s What You Need to Do:

    7. Simulated Phishing Tests Reveal the Cyber Danger Lurking in Your Organization:

    8. Trojan Ether Encrypts Files or Mines for Cryptocurrency:

    9. Deceased Patient Data Being Sold on Dark Web:

    10. Credential Phishing – Easy Steps to Stymie Hackers:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Domain Spoof Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews