CyberheistNews Vol 8 #31 [Heads-Up] Warn Your Employees. This Is the Year That Sextortion Spear Phishing Is Skyrocketing...

CyberheistNews Vol 8 #31
[Heads-Up] Warn Your Employees. This Is the Year That Sextortion Spear Phishing Is Skyrocketing...

Intrepid cyber-investigative reporter Brian Krebs noticed that a story published on his blog July 12 about a new sextortion-based spear phishing scheme—which uses a real password used by each recipient—had become his most-read piece since his site launched in 2009.

He commented: "And with good reason — sex sells (the second most-read piece here was my 2015 scoop about the Ashley Madison hack).

But beneath the lurid allure of both stories lies a more unsettling reality: It has never been easier for scam artists to launch convincing, targeted phishing and extortion scams that are automated on a global scale.

And given the sheer volume of hacked and stolen personal data now available online, it seems almost certain we will soon witness many variations on these phishing campaigns that leverage customized data elements to enhance their effectiveness."

Krebs is right, this is only the start and most of these passwords were old. Cyber criminals test scams like companies test marketing campaigns and if the response rate is high enough in the beta, they go full-scale.

The Problem: 50% of Casually Dating Men Watch Porn Weekly

The Institute for Family Studies recently confirmed what everyone more or less already knew, but since last year there are hard numbers. Men are more likely than women to view pornography, and this is particularly true of viewing porn regularly on a daily or weekly basis.

A whopping 50% of casually dating men watch porn weekly, and this percentage only drops to 40% when they are seriously dating, and 20% for engaged or married.

Unfortunately, looking at this from a "criminal marketing perspective" the total addressable extortion market is massive.

Cyber gangs will start using fresh hacks, with recent and real passwords, highly likely combined with other personal data that was sourced from the dark web and appended to the record using big data technology. This method is also going to be used by the tech support scam artists in a variety of ways.

It's almost a matter of: "What took you so long?", I have been warning you here for a while that this was imminent.

Phishing Continues to Be on the Rise in 2018

The Anti-Phishing Working Group (APWG) most recent report (link to PDF in blog) covers the phishing trends found in Q1 of 2018.

The highlights of the report included:
  • Over 11,000 phishing domains were created in Q1
  • The total number of phishing sites increased 46% over Q4 2017
  • The use of SSL certificates on phishing sites continues to increase to lull visitors into a false sense of security and site legitimacy.
All three of these trends add up to one thing – the bad guys are rapidly becoming more sophisticated. The higher the threat levels they can establish through targeted spear phishing attacks which leverage very private information, the more successful the campaign.

I suggest you send the following to your employees. You're welcome to copy, paste, and/or edit. You might want to coordinate with HR on this one.
Sextortion is a serious internet crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.

According to the FBI, here are some things you can do to avoid becoming a victim:
  • Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
  • Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.
  • Turn off [and/or cover] any web cameras when you are not using them.
If you receive an email that claims they have video of you viewing pornography, do not answer, delete the scam email and do not pay any amount in any form.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).
Full blog post with links to articles. Please forward this one to your peers:
No "Shame on You" When it Comes to Cybersecurity Testing

Employee testing is a necessary part of a well-executed and flexible security awareness program. For testing to be effective, however, it needs to be well thought-out, making an impression on the employees and evoking a response that will help build your organizational security culture.

There is no single correct way of testing employees: Testing can be as varied as the social engineering approaches employees must be wary of. But some forms of testing can be safely ruled out from the start.

Testing shouldn't, for example, include duping or tricking an employee into a response that would compromise the organization. And employees should be praised in public and corrected in private.

If employees click a questionable link or respond to the sender of a test email, penalizing them shouldn't be the default response. Nor is it a good idea to include their test results as part of their performance review.

Instead employees should immediately be directed to remedial training that will educate them to the proper response going forward. Educating employees to the consequences of security breaches will increase their security awareness.

If the employee—or the department—handles the challenge correctly, they can be recognized or rewarded. This can be as simple as mention is a company newsletter, or the award of a token of appreciation. The purpose of testing is to measure or uncover areas where training may be needed and to focus on preparing the employees for real-life social engineering attacks.

Consider a lesson from the military. When the US Army established its combat training centers in the 1980s, one of the centers' first principles was that they weren't administering a test that a unit could fail (or for that matter excel at). Instead, units received feedback in after-action reviews. Their self-analysis in the post-mortem became the most important source of their learning.

Social engineering and cyber security testing and education should never be presented or viewed as “punishment", but as a way to stay safe online in the office and at the house. New-school security awareness training is interactive and aims at helping an organization build your security culture. Infosecurity has the story:
Cybercrime Carbanak Gang Leaders Arrested After Causing 1 Billion in Damage

The FBI announced Wednesday, August 1st, that an international manhunt had collared three leaders of the Carbanak gang. Also known as Fin7, Carbanak specialized in phishing business for credentials they could use to upload paycard-data-stealing malware into business systems connected with point-of-sale terminals.

They would steal card data and sell it in a black-market carding forum. They also did a side business in the theft and sale of proprietary or non-public information, but that was just gravy: their main course was always selling cards in the criminal-to-criminal market.

They targeted more than a hundred companies in the US alone, most of them in the gaming, restaurant, and hospitality sectors. Some of the better-known companies they hacked included Red Robin, Chipotle, and Arby's.

The three men arrested, Dmytro Fedorov, Fedir Hladyr and Andrii Kopakov, are all Ukrainian nationals. They're now in US Federal custody and awaiting trial on twenty-six felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft. Fedorov is awaiting extradition in Poland and Kopakov is doing the same in a Spanish holding cell. Hladyr, picked up by police in Dresden, Germany, is already in Seattle.

Carbanak was a big operation, thought to have stolen more than $1 billion from businesses worldwide. One hopes these arrests will cripple the gang, but criminal organizations have come back from seeming death before.

The FBI has the story, complete with a useful infographic explaining how the Fin7 scammers worked, always starting with a phishing attack. Continued:
Hackbusters - Where Can You Discuss All Things Social Engineering!

The KnowBe4 Hackbuster’s Forum is an online community dedicated to stopping the bad guys that use social engineering to hack your organization. Our Hackbusters discussion forum is a moderated, spam-free forum primarily for KnowBe4 clients (but also inclusive of your peers interested in social engineering.)

HackBusters contains thousands of messages from our KnowBe4 users and our staff. Forum members can post messages to the community or just read through existing threads and Q/A.

Topics: Phishing, Ransomware, Social Engineering, Security Awareness Training Best Practices, Scripting Tools and Other Topics. We even have some fun by following the latest social engineering dramas on TV and in film. Our favorite is Mr. Robot. Rumor has it that we could see Mr. Robot season 4 in November! You're invited to join the discussion:
Can You Be Spoofed? Find out for a Chance to Win an Embrava Blynclight

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against unless your users are highly ‘security awareness’ trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. Plus you'll be entered for a chance to win one of 10 Wireless Embrava Blynclights (stop those drive-by requests with this "busy light" for your desk.)

Find out now if your email server is configured correctly, many are not!

Try to Spoof Me!
[Live Webinar] Latest Business Email Compromise Scams - Don't Be the Next Victim

The bad guys are getting very creative, impersonating an executive in your organization and asking for financial reports or they ask employees in payroll to make changes to bank accounts.

According to the FBI, their efforts have earned them an estimated $12 billion through Business Email Compromise scams, also known as CEO fraud. In addition, these attackers can be working on multiple potential victims at the same time.

Invoice fraud, escrow redirection, payroll fraud, and simple wire transfer fraud are all tools in the attacker's arsenal. Defending against these types of phishing attacks is possible by layering technical and non-technical controls.

Join us in this webinar, as we take an in-depth look at how the latest attacks work and the psychology and mechanics behind them. We will also discuss defensive measures you can take now to defend your organization against these attacks.

In the event you'll learn:
  • The truth about Business Email Compromise
  • How to defend against these attacks using technical and non-technical controls
  • Why building a human firewall is your best last line of defense
Save My Spot! Wednesday, August 15, 2018 2:00 pm ET

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"The person who says it cannot be done should not interrupt the person who is doing it."
- Chinese Proverb

"The best luck of all is the luck you make for yourself." - Douglas MacArthur, General (1880 – 1964)

Thanks for reading CyberheistNews
Security News
Here Is a Way to Get Audits Done in Half the Time and Half the Cost

Join us on Tuesday, August 14, 2018, at 1:00 PM (ET) for a 30-minute live product demonstration of KnowBe4's Compliance Manager to see how you can simplify the complexity of getting compliant and ease your burden of staying compliant year-round.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Ability to build your own templates using our simple custom template feature.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Finally, an easy-to-use and affordable compliance management tool...

Save My Spot!
Is Your Country One of the Best Prepared for Cyber-Attack? or Not...

A global ranking of countries exists to demonstrate which are the most committed to raising awareness for cybersecurity in preparation for cyber-attacks. How does your country rank?

One of the most respected measurements of cyber-preparedness is the Global Cybersecurity Index (GCI), created by the International Telecommunication Union (ITU). The index, which ranks countries based on a number of factors, found the following ten to be the most committed to cybersecurity:

Singapore, United States, Malaysia, Oman, Estonia, Mauritius, Australia, Georgia, France, and Canada.

What makes these countries stand out is their commitment – at a national level – to establishing legal, technical, and organizational frameworks to address cybercrime, training and certification programs, and cooperative efforts to share information.

So, does that mean your organization is less a target?

While these (and other) nation-states have made great strides in advancing awareness of cybersecurity, two things should be considered:
    • First: cyber-criminals don’t care; they’re continuing to evolve their craft, targeting organizations, industry verticals, and governments in an effort to make money.

    • Second: just because the nation in question has made huge commitments to advancing cybersecurity, it doesn’t mean your organization has.
Case in point, take the graph from Hiscox’s latest Cyber Readiness Report – it represents the percentage of organizations of a given size that have experienced one or more cyber-attacks in the last 12 months. Note the US and the UK (both, of which are in the ITU’s “top ten” list) have experienced attack trends similar to other nations.

So, don’t think that just because your country is well-ranked on the GCI that your organization is safe; in fact, take the opposite approach – be even more vigilant. You can’t let your guard down because the country as a whole has a good stance to address cybercrime – instead, think of it as your opportunity to take advantage of the great frameworks, industry experts, and security vendor products and services (such as KnowBe4’s Security Awareness Training), to make your organization’s security even better. Blog with graphs and links:
Going to Black Hat in Las Vegas This Year? Get Your Free Book Signed by Kevin Mitnick!

Check out all the activities KnowBe4 will be doing at Black Hat:
    • Get your free book signed by Kevin Mitnick: Drop by KnowBe4’s Booth #1428, at the Kevin Mitnick Book Signing. Meet the ‘World’s Most Famous Hacker’, get a signed copy of his new book: Wednesday, August 8, 5-7pm at KnowBe4’s Booth.
    • Enter to Win a 34” LG Curved UltraWide Monitor: Join us to see a short demo of the innovative KnowBe4 Security Awareness Training Platform to train and phish your users. You’ll also get your light-up "Axe To Grind With Ransomware” swag!

    • Learn the 12 ways hackers get around your favorite 2FA solution: Join Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, during the session “12 Ways to Defeat Two-Factor Authentication”, on Wednesday, August 8th, 4:10pm in Oceanside F. You'll learn about the good and bad of 2FA, and become a better computer security defender in the process:
Don’t Reach for Your Checkbook: It's Probably a Scam

If you receive a telephone call from the IRS saying you owe back taxes, or from the US Marshals saying you owe a fine for missing jury duty, it's a scam.

Don't let the Washington, DC, area code fool you. Neither the Internal Revenue Service nor the Unites States Marshalls call people to demand payment of fines, penalties, or tax bills.

The scammers are after two things: money and personal information. The US Federal Trade Commission (FTC) suggests that those who receive one of these calls not panic. Don't send cash or give up personal information. Cyber criminals know that impersonating government officials lends immediate credibility and urgency to just about any scheme they are attempting to cash in with.

Some scammers will give the victims a phony badge number, or correctly tell them the last four digits of their social security number. Regardless of how plausible and convincing the caller seems, the FTC strongly advises you not to pay.

The victims may be offered a number of alternative ways to pay. The FTC reminds everyone to remember that the IRS doesn't accept gift cards, cash re-load cards, or money transfers. That’s not how the Feds do business.

Anyone who gives in to such a scam in a moment of weakness should, once they've calmed down and returned to their senses, cancel any transfers they've ordered. And it's worth reporting the scam to the FTC at

Organizations as well as individuals can be victims. They interact with Government agencies, pay taxes, and so on, and it's worth offering your people some reminders in periodic, interactive, refresher training. If at the very least employees become aware that the IRS won't take payments over the phone, that's an important point gained. Nextgov has the story:
US Federal Court Rules Insurer Must Cover 834K BEC Losses

For the second time in ten days, a federal appeals court ruled a crime insurance policy provides coverage for losses arising from a business email compromise.

The Sixth US Circuit Court of Appeals found that an insurance company must cover business email compromise losses under a crime insurance policy. The decision, rendered in the case of American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, held that Travelers was required to cover American Tooling Center's loss of $834,000 which it transferred to a crook's bank account under the impression it was paying a Chinese subcontractor.

The loss began, as business email compromise incidents so often do, with a criminal compromising an email account, impersonating someone who might be able to direct or influence payment, and sending an email to the victim organization's financial or in this case accounts payable department.

The insurance company disputed the claim on the grounds that the policy only covered "direct" losses to crime, and that since American Tooling Center didn't lose anything until it paid, the loss wasn't "direct" in the relevant sense.

They also argued that the loss didn't fall under the coverage of "computer fraud" because merely using a computer to induce a transfer that was fraudulent wasn't actually a case of using the computer to "cause" the fraud.

The court also found that exclusions in the policy involving data entry by the victim, or "giving or surrendering money" in an "exchange or purchase," didn’t apply, either.

All this will strike a lay audience as unpleasant hairsplitting, and of course we're not giving legal advice. But the decision seems to set two important precedents with respect to insurance for business email compromise.

As McGuireWoods explains in their account of the ruling, computer fraud need not involve any technical hacking or access to the victim's computer. An email can be the cause of the loss. Furthermore, the victim's "voluntary" act of wiring the money in response to social engineering doesn't make the fraud "indirect," which might have excluded the loss from coverage.

Federal Courts Do Not Agree?

A Federal Court in North Carolina recently decided that an employee who is tricked into sharing personal information in response to a phishing email can be seen as committing an intentional disclosure under the North Carolina Identity Theft Protection Act (NCITPA). As a result, the employer could face treble damages for the employee’s mistake, adding a new element to potential exposure for businesses, and possible not get cyber insurance coverage.

Cyber insurance is still an immature market, and policies need to be read very carefully to make sure that employee error is covered. It's better not to be in the position of having to put in a claim for a business email compromise in the first place. Sound policies about answering requests for payment or funds transfers, well-drilled with effective new-school awareness training, are a better place to start.

The McGuireWoods Insurance Recovery Blog has the story:
What KnowBe4 Customers Say

"Hi Stu, I just wanted to thank you for the book you sent me last week by Roger A. Grimes, it's been a great read so far. I also wanted to thank you for the new phishing templates you have recently implemented.

Unfortunately my phish-prone percentage has gone up when I started testing with these new updates, but it provides me with some insight of who needs additional training. Keep up the great work, your tools have been valuable in helping me to change the culture in our company in how everyone views email. Very satisfied customer."
- A.D. System Administrator

"Thank you very much for checking in. I am very impressed at KnowBe4's customer service and support, it's fantastic! The phishing simulation is amazing too, it was just what I was looking for and most importantly it came at a great price, and included the online training which the previous year we went with another company that was very expensive. We're about to try the training Aug. 1st. I've been in the IT security field for quite awhile now, KnowBe4's services really helps me out and makes my life so much easier. Many thanks!"
- D.M. Systems Admin
The 10 Interesting News Items This Week
    1. Less than 30% of SMBs have an IT security pro on staff. YIKES:

    2. End-user security awareness training is a must-have. Excellent ammo:

    3. DHS Unveils National Risk Management Center:

    4. Ransomware Attack At Blue Springs Medical Practice Exposes 45,000 Patient Records:

    5. Kremlin Hackers Take Aim at the Swiss Lab That’s Working the Skripal Poisoning Case:

    6. Reddit Breach Highlights Limits of SMS-Based Authentication:

    7. Kevin Mitnick: An interview on Trump, Russians, and blockchain with the world’s most famous hacker:

    8. Social Engineering Attacks: What Makes You Susceptible?:

    9. Staff dust off their typewriters after ransomware attack:

    10. The Tesla Model 3 Makes The Future Feel Normal:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Anti-Phishing Guide ebook

Get the latest about social engineering

Subscribe to CyberheistNews