CyberheistNews Vol 8 #37
Scam Of The Week: "The Boss Needs iTunes Gift Cards for Customers...NOW" 
If you ever wondered if those iTunes gift card phishes really work, see the below email exchange.
Yep, that overzealous employee actually drove around town from store to store picking up iTunes gift cards for the bad guys because there was a limit on the number of cards that could be bought at any one store at one time.
All told, poor Emily bought TWENTY $100.00 iTunes gift cards for these criminals. Still worse, she put them ON HER OWN PERSONAL CREDIT CARD!
Wonder if her company will reimburse her? Kinda feel sorry for her. Sometimes it helps to get security awareness training from your organization. Emily was not trained. Don't be Emily. :-)
Here is the email exchange in chronological order. Note the time stamps are the originals and from different time zones. Names are changed to protect the innocent. John Carpenter is the C-level executive of "distracted . com" and was spoofed by the bad guys. We even have pictures of the gift cards. Blow-by-blow at the blog: https://blog.knowbe4.com/scam-of-the-week-the-boss-needs-itunes-gift-cards-for-customers...-now
RELATED TOP POSTS THIS WEEK:
If you ever wondered if those iTunes gift card phishes really work, see the below email exchange.
Yep, that overzealous employee actually drove around town from store to store picking up iTunes gift cards for the bad guys because there was a limit on the number of cards that could be bought at any one store at one time.
All told, poor Emily bought TWENTY $100.00 iTunes gift cards for these criminals. Still worse, she put them ON HER OWN PERSONAL CREDIT CARD!
Wonder if her company will reimburse her? Kinda feel sorry for her. Sometimes it helps to get security awareness training from your organization. Emily was not trained. Don't be Emily. :-)
Here is the email exchange in chronological order. Note the time stamps are the originals and from different time zones. Names are changed to protect the innocent. John Carpenter is the C-level executive of "distracted . com" and was spoofed by the bad guys. We even have pictures of the gift cards. Blow-by-blow at the blog: https://blog.knowbe4.com/scam-of-the-week-the-boss-needs-itunes-gift-cards-for-customers...-now
RELATED TOP POSTS THIS WEEK:
- [ALERT] CEO Fraud Escalates. Bad Guys Now Go After Employee Personal Address and Phone Number:
https://blog.knowbe4.com/alert-ceo-fraud-escalates.-bad-guys-now-go-after-employee-personal-address-and-phone-number - Phishing Warning: One in Every One Hundred Emails Is Now a Hacking Attempt:
https://blog.knowbe4.com/phishing-warning-one-in-every-one-hundred-emails-is-now-a-hacking-attempt
[VIDEO] How Fast Can Your Domain Admin Password Be Cracked?
A surprising 19% of employees of small and medium-sized businesses (SMBs) share their passwords with coworkers, according to a study by Switchfast. These shared passwords are usually very weak and are rarely changed, leaving them vulnerable to brute-force attacks. Passwords are usually shared for convenience, but the practice drastically increases the likelihood that a critical account will be breached.
Not that *you* will share your domain admin password with anyone, but watch this brand-new video and shiver.
Watch This Video That Shows How Fast a 17-character Password Can Be Cracked:
https://blog.knowbe4.com/video-password-sharing-means-not-caring
A surprising 19% of employees of small and medium-sized businesses (SMBs) share their passwords with coworkers, according to a study by Switchfast. These shared passwords are usually very weak and are rarely changed, leaving them vulnerable to brute-force attacks. Passwords are usually shared for convenience, but the practice drastically increases the likelihood that a critical account will be breached.
Not that *you* will share your domain admin password with anyone, but watch this brand-new video and shiver.
Watch This Video That Shows How Fast a 17-character Password Can Be Cracked:
https://blog.knowbe4.com/video-password-sharing-means-not-caring
Brand-New Ransomware Simulator Tool Now With Cryptomining Scenario
Bad guys are constantly coming out with new malware versions to evade detection. That’s why we’ve updated our Ransomware Simulated tool “RanSim” to include a new cryptomining scenario!
This new cryptomining scenario simulates a Monero cryptocurrency-mining operation on the local machine. Monero mining is the most popular cryptocurrency mined by real-world malware and takes a lot of CPU and GPU cycles to process the data necessary to generate the currencies.
Try KnowBe4’s NEW Ransomware Simulator tool and get a quick look at the effectiveness of your existing network protection against the latest threats. RanSim will simulate 13 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable.
Here's how RanSim works:
✔ 100% harmless simulation of real ransomware and cryptomining infection scenarios
✔ Does not use any of your own files
✔ Tests 14 different types of infection scenarios
✔ Just download the install and run it
✔ Results in a few minutes!
This is complementary and will take you 5 minutes max. RanSim may give you some insights about your endpoint security you never expected!
https://info.knowbe4.com/ransomware-simulator-tool-1chn
Bad guys are constantly coming out with new malware versions to evade detection. That’s why we’ve updated our Ransomware Simulated tool “RanSim” to include a new cryptomining scenario!
This new cryptomining scenario simulates a Monero cryptocurrency-mining operation on the local machine. Monero mining is the most popular cryptocurrency mined by real-world malware and takes a lot of CPU and GPU cycles to process the data necessary to generate the currencies.
Try KnowBe4’s NEW Ransomware Simulator tool and get a quick look at the effectiveness of your existing network protection against the latest threats. RanSim will simulate 13 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable.
Here's how RanSim works:
✔ 100% harmless simulation of real ransomware and cryptomining infection scenarios
✔ Does not use any of your own files
✔ Tests 14 different types of infection scenarios
✔ Just download the install and run it
✔ Results in a few minutes!
This is complementary and will take you 5 minutes max. RanSim may give you some insights about your endpoint security you never expected!
https://info.knowbe4.com/ransomware-simulator-tool-1chn
Live Webinar: The Quantum Computing Break Is Coming... Will You Be Ready?
Quantum computing is a game-changer and will have a huge impact on the way we do business, safeguard data, explore space, and even predict weather events. Yet, some experts say in the not so distant future quantum computers will break existing public key cryptography forever.
Join Roger Grimes, KnowBe4 Data-Driven Defense Evangelist, as he explores the way bad guys will be able to use more secrets against you than ever before, especially in increasingly sophisticated spear phishing attacks.
Attend this exclusive event to learn what you can do to prepare.
Date/Time: Wednesday, September 19th at 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/1821427/3A886010593824B331BCAB5200E83308?partnerref=CHN
Quantum computing is a game-changer and will have a huge impact on the way we do business, safeguard data, explore space, and even predict weather events. Yet, some experts say in the not so distant future quantum computers will break existing public key cryptography forever.
Join Roger Grimes, KnowBe4 Data-Driven Defense Evangelist, as he explores the way bad guys will be able to use more secrets against you than ever before, especially in increasingly sophisticated spear phishing attacks.
Attend this exclusive event to learn what you can do to prepare.
- Why quantum computing is different than traditional binary computing
- How close quantum computers are to breaking traditional public key cryptography
- What defenses you can deploy after public key cryptography is broken
- How to prepare your users - your best, last line of defense
Date/Time: Wednesday, September 19th at 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/1821427/3A886010593824B331BCAB5200E83308?partnerref=CHN
Try This Weak Password Test for a Chance to Win a Nintendo Switch
Are your users’ passwords…P@ssw0rd? Verizon's Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords. Employees are the weakest link in your network security.
KnowBe4's no-charge Weak Password Test checks your Active Directory for 10 different types of weak password related threats and reports any fails so that you can take action. Plus you’ll be entered to win a Nintendo Switch!
This will take you 5 minutes and may give you some insights you never expected.
https://info.knowbe4.com/wpt-sweepstakes-092018
Are your users’ passwords…P@ssw0rd? Verizon's Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords. Employees are the weakest link in your network security.
KnowBe4's no-charge Weak Password Test checks your Active Directory for 10 different types of weak password related threats and reports any fails so that you can take action. Plus you’ll be entered to win a Nintendo Switch!
This will take you 5 minutes and may give you some insights you never expected.
https://info.knowbe4.com/wpt-sweepstakes-092018
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc
Quotes of the Week
"Nothing is impossible, the word itself says 'I'm possible'" - Audrey Hepburn
"It always seems impossible until it's done." - Nelson Mandela
Thanks for reading CyberheistNews
"It always seems impossible until it's done." - Nelson Mandela
Thanks for reading CyberheistNews
Security News
Hackbusters - Where Can You Discuss All Things Social Engineering?
The KnowBe4 Hackbuster’s Forum is an online community dedicated to stopping the bad guys that use social engineering to hack your organization. Our Hackbusters discussion forum is a moderated, spam-free forum primarily for KnowBe4 clients (but also inclusive of your peers interested in social engineering.)
HackBusters contains thousands of messages from KnowBe4 users and our staff. Forum members can post messages to the community or just read through existing threads and Q/A.
Topics: Phishing, Ransomware, Social Engineering, Security Awareness Training Best Practices, Scripting Tools and Other Topics.
We even have some fun by following the latest social engineering shows on TV and in film. Our favorite is Mr. Robot. Rumor has it that we could see Mr. Robot season 4 in November! You're invited to join the discussion:
https://discuss.hackbusters.com/
The KnowBe4 Hackbuster’s Forum is an online community dedicated to stopping the bad guys that use social engineering to hack your organization. Our Hackbusters discussion forum is a moderated, spam-free forum primarily for KnowBe4 clients (but also inclusive of your peers interested in social engineering.)
HackBusters contains thousands of messages from KnowBe4 users and our staff. Forum members can post messages to the community or just read through existing threads and Q/A.
Topics: Phishing, Ransomware, Social Engineering, Security Awareness Training Best Practices, Scripting Tools and Other Topics.
We even have some fun by following the latest social engineering shows on TV and in film. Our favorite is Mr. Robot. Rumor has it that we could see Mr. Robot season 4 in November! You're invited to join the discussion:
https://discuss.hackbusters.com/
The Evolution of "Friendly Name" Spoofing During Phishing Attacks
Our friends at Bleepingcomputer had a great article written by Ionut Ilascu I think you will like: "While phishing continues to be the prevalent threat in malware-less email-based attacks, cybercriminals refine their methods by adding an impersonation component to increase the success rate against company employees.
Impersonation attacks, also known as CEO fraud and business email compromise (BEC), are somewhat targeted and require the threat actor to do some reconnaissance about the recipient or the company they work for. This method is more difficult to detect by traditional security solutions because it typically does not follow a pattern. Continue and learn how the bad guys have moved the way they spoof email addresses:
https://blog.knowbe4.com/the-evolution-of-friendly-name-spoofing
Our friends at Bleepingcomputer had a great article written by Ionut Ilascu I think you will like: "While phishing continues to be the prevalent threat in malware-less email-based attacks, cybercriminals refine their methods by adding an impersonation component to increase the success rate against company employees.
Impersonation attacks, also known as CEO fraud and business email compromise (BEC), are somewhat targeted and require the threat actor to do some reconnaissance about the recipient or the company they work for. This method is more difficult to detect by traditional security solutions because it typically does not follow a pattern. Continue and learn how the bad guys have moved the way they spoof email addresses:
https://blog.knowbe4.com/the-evolution-of-friendly-name-spoofing
Here’s Why Business Email Compromise Is Still Driving Executive Identity Theft
All it took was access to a lawyer’s email, and suddenly, almost $532,000 was in the wrong hands.
This business email compromise (BEC) scam began simply: A criminal in Los Angeles named Ochenetchouwe Adegor Ederaine, Jr. gained access to a real estate lawyer’s email and sent fake messages to a buyer, according to the U.S. Department of Justice. Soon after, the purchaser sent that six-figure payment to a bank account controlled by Ederaine — one of 23 he had set up at various California financial institutions using six different false identities.
He used this same kind of attack over and over between March 2016 and November 2017 before federal authorities caught up with him. The scheme worked for as long as it did because the criminal didn’t compromise just any email accounts — he carefully selected his targets to maximize his chances for success.
A Persistent Problem
Impostors are tricking workers into sending money to rogue bank accounts at an alarming rate. From December 2016 to May 2018, the FBI observed a 136 percent increase in losses to BEC scams. This type of attack has been reported in all 50 states and in 150 countries.
The real estate sector is particularly at risk, and criminals like Ederaine are making off with huge sums. From 2015 to 2017, the number of real estate transaction incidents increased by more than 1,110 percent, and losses reported to the FBI ballooned by almost 2,000 percent.
The basic strategy is simple and, according to another FBI report, the crime has been observed in five basic flavors:
Like many scams, BEC often appears obvious in hindsight. A person reading a story about an incident is already in an anti-fraud mindset, but busy workers are often targeted at just the wrong time, and anyone can suffer a momentary lapse. That’s why defense against BEC requires multiple layers. Story continued at:
https://securityintelligence.com/heres-why-business-email-compromise-is-still-driving-executive-identity-theft/
All it took was access to a lawyer’s email, and suddenly, almost $532,000 was in the wrong hands.
This business email compromise (BEC) scam began simply: A criminal in Los Angeles named Ochenetchouwe Adegor Ederaine, Jr. gained access to a real estate lawyer’s email and sent fake messages to a buyer, according to the U.S. Department of Justice. Soon after, the purchaser sent that six-figure payment to a bank account controlled by Ederaine — one of 23 he had set up at various California financial institutions using six different false identities.
He used this same kind of attack over and over between March 2016 and November 2017 before federal authorities caught up with him. The scheme worked for as long as it did because the criminal didn’t compromise just any email accounts — he carefully selected his targets to maximize his chances for success.
A Persistent Problem
Impostors are tricking workers into sending money to rogue bank accounts at an alarming rate. From December 2016 to May 2018, the FBI observed a 136 percent increase in losses to BEC scams. This type of attack has been reported in all 50 states and in 150 countries.
The real estate sector is particularly at risk, and criminals like Ederaine are making off with huge sums. From 2015 to 2017, the number of real estate transaction incidents increased by more than 1,110 percent, and losses reported to the FBI ballooned by almost 2,000 percent.
The basic strategy is simple and, according to another FBI report, the crime has been observed in five basic flavors:
- Invoice schemes — Criminals pretend to be suppliers, create a mock invoice and trick firms into payment.
- Account compromise — Criminals impersonate an authority figure in an organization and order someone to make a payment.
- Attorney impersonations — Criminals convince victims to remit payment to a bogus account.
- CEO fraud — This is similar to an account compromise, but with the added heft of an order appearing to come from the top position in an organization.
- Data theft — Criminals target human resources workers and trick them into coughing up tax statements and other personal information.
Like many scams, BEC often appears obvious in hindsight. A person reading a story about an incident is already in an anti-fraud mindset, but busy workers are often targeted at just the wrong time, and anyone can suffer a momentary lapse. That’s why defense against BEC requires multiple layers. Story continued at:
https://securityintelligence.com/heres-why-business-email-compromise-is-still-driving-executive-identity-theft/
Mobile Attack Rates up 24% Globally, 44% in US
One-third of all fraud targets are mobile, a growing source of all digital transactions.
The proportion of mobile-vs.-desktop transactions has nearly tripled in the last three years, and instances of mobile fraud and cyberattacks have grown as attackers go where their victims are.
More than half (58%) of digital transactions now originate from mobile devices, ThreatMetrix researchers discovered in their Q2 Cybercrime Report 2018. One-third of all fraud now targets mobile, with global attacks up 24% compared with the first half of 2017. The United States saw a far higher growth rate: Mobile cyberattacks increased 44% during the same time period.
The financial services sector has been hit hard with the growth of mobile cybercrime. Of the 81 million attacks to hit the industry in the first half of 2018, 27 million targeted mobile devices as fraudsters capitalize on the rise of mobile banking adoption. The biggest threat to financial services, researchers report, comes from device spoofing.
Attackers attempt to trick banks into thinking fraudulent login attempts are coming from new customer devices. Identity spoofing is a broad problem, especially on social networks and dating websites, which have the highest mobile footprint across industries: 85% of total transactions, and 88% of account creations, for social sites happened on mobile devices.
Identity spoofing makes up 13.3% of attacks on this sector; attackers often use proxy servers to trick their victims into thinking they're geographically closer than they are. Read more details here:
https://www.darkreading.com/mobile/mobile-attack-rates-up-24--globally-44--in-us/d/d-id/1332798
One-third of all fraud targets are mobile, a growing source of all digital transactions.
The proportion of mobile-vs.-desktop transactions has nearly tripled in the last three years, and instances of mobile fraud and cyberattacks have grown as attackers go where their victims are.
More than half (58%) of digital transactions now originate from mobile devices, ThreatMetrix researchers discovered in their Q2 Cybercrime Report 2018. One-third of all fraud now targets mobile, with global attacks up 24% compared with the first half of 2017. The United States saw a far higher growth rate: Mobile cyberattacks increased 44% during the same time period.
The financial services sector has been hit hard with the growth of mobile cybercrime. Of the 81 million attacks to hit the industry in the first half of 2018, 27 million targeted mobile devices as fraudsters capitalize on the rise of mobile banking adoption. The biggest threat to financial services, researchers report, comes from device spoofing.
Attackers attempt to trick banks into thinking fraudulent login attempts are coming from new customer devices. Identity spoofing is a broad problem, especially on social networks and dating websites, which have the highest mobile footprint across industries: 85% of total transactions, and 88% of account creations, for social sites happened on mobile devices.
Identity spoofing makes up 13.3% of attacks on this sector; attackers often use proxy servers to trick their victims into thinking they're geographically closer than they are. Read more details here:
https://www.darkreading.com/mobile/mobile-attack-rates-up-24--globally-44--in-us/d/d-id/1332798
Scam Calls Expected to Account for Almost Half of US Mobile Traffic by 2019
A new study, just released by First Orion, predicts that by next year nearly half of US mobile phone calls will be scams. The company, which is in the call protection business, analyzed more than 50 billion calls made to its customers over the last year and a half.
Their analysis led them to project that, if things continue as they have, almost fifty percent of calls to mobile phones in the US will involve some form of fraud. Recent trends are depressing. First Orion’s results suggest that 3.7% of all calls in 2017 were fraudulent, and that this total has risen to 28.2% in 2018.
They extrapolate the scam fraction to an unpleasant 44.6% by early next year. Such trends represent an educated guess, of course, but they're certainly consistent with the experience many people have with their phones. One of the more common forms of fraud the study saw was neighborhood spoofing: a scammer disguises their phone number to appear as a local number on the recipient's caller ID.
This may seem an obvious form of social engineering, but it seems effective: people are more likely to pick up if they think the caller is from the same area code and shares their three-digit prefix. They answer and they receive a robocall. A lot of the spoofed numbers belong to actual neighbors, and they're victims, too.
They get call-backs, complaints, and other nuisance interactions. There are partial technical fixes for this problem on offer. But organizations can help their employees handle fraudulent calls with some effective, interactive awareness training. Alert users can deflect scams.
The robocall will still be irritating, but at least your people will stand a good chance of not sharing their passwords with that serious-sounding young man who offers greetings of the day and then tells them their Windows computer is infected with malware, etc. And trust us: the widow of a Nigerian prince is unlikely to be using the phone number of the retired nurse who lives down the block.
BetaNews has the story: https://betanews.com/2018/09/12/mobile-scam-calls/
A new study, just released by First Orion, predicts that by next year nearly half of US mobile phone calls will be scams. The company, which is in the call protection business, analyzed more than 50 billion calls made to its customers over the last year and a half.
Their analysis led them to project that, if things continue as they have, almost fifty percent of calls to mobile phones in the US will involve some form of fraud. Recent trends are depressing. First Orion’s results suggest that 3.7% of all calls in 2017 were fraudulent, and that this total has risen to 28.2% in 2018.
They extrapolate the scam fraction to an unpleasant 44.6% by early next year. Such trends represent an educated guess, of course, but they're certainly consistent with the experience many people have with their phones. One of the more common forms of fraud the study saw was neighborhood spoofing: a scammer disguises their phone number to appear as a local number on the recipient's caller ID.
This may seem an obvious form of social engineering, but it seems effective: people are more likely to pick up if they think the caller is from the same area code and shares their three-digit prefix. They answer and they receive a robocall. A lot of the spoofed numbers belong to actual neighbors, and they're victims, too.
They get call-backs, complaints, and other nuisance interactions. There are partial technical fixes for this problem on offer. But organizations can help their employees handle fraudulent calls with some effective, interactive awareness training. Alert users can deflect scams.
The robocall will still be irritating, but at least your people will stand a good chance of not sharing their passwords with that serious-sounding young man who offers greetings of the day and then tells them their Windows computer is infected with malware, etc. And trust us: the widow of a Nigerian prince is unlikely to be using the phone number of the retired nurse who lives down the block.
BetaNews has the story: https://betanews.com/2018/09/12/mobile-scam-calls/
Why Bother with Malware When You Can Go Phish?
A survey of senior IT security professionals in the UK reports that 50% of CISOs say their biggest security incident over the past year was caused by phished credentials, not malware or exploitation of unpatched systems.
Phishing caused 48% of the breaches their organizations sustained. Malware accounted for 22%. Malware and exploitation of unpatched systems combined still came in second, at only 41%.
Phishing for credentials is the preferred method of both criminals and nation-state intelligence services. It is, of course, a form of social engineering. That's a human problem and therefore a problem that isn't going away. But it can be helped with effective, interactive awareness training. Help Net Security has the story:
https://www.helpnetsecurity.com/2018/09/13/phished-credentials/
A survey of senior IT security professionals in the UK reports that 50% of CISOs say their biggest security incident over the past year was caused by phished credentials, not malware or exploitation of unpatched systems.
Phishing caused 48% of the breaches their organizations sustained. Malware accounted for 22%. Malware and exploitation of unpatched systems combined still came in second, at only 41%.
Phishing for credentials is the preferred method of both criminals and nation-state intelligence services. It is, of course, a form of social engineering. That's a human problem and therefore a problem that isn't going away. But it can be helped with effective, interactive awareness training. Help Net Security has the story:
https://www.helpnetsecurity.com/2018/09/13/phished-credentials/
Want to Know How to Break Into a Henhouse? Hire a Fox
Red teaming starts with research. So does social engineering. Red teaming is the practice of thinking and acting like an attacker to test an organization’s defenses, according to security consultant and penetration tester Justin White.
White recently spoke with Joe Carrigan for the CyberWire’s Hacking Humans podcast, where he explained the type of work he does as a professional red teamer. White defines red teaming as an “object-driven security assessment penetration test that's very broadly scoped,” which typically involves a physical break-in and using social engineering tactics to manipulate employees.
The first step in this process is open-source intelligence gathering, where White and his team will scour the Internet, particularly social media, for information about the company and its employees. White will then use this information to ingratiate himself with the company’s employees and win their trust.
“I'm always just trying to get little bits of information from different individuals that I can take and pivot to other individuals or other places. And I can use that to my advantage to sound more convincing that I am who I say I am or I'm here to do what I said to do because, you know, I know this name.
I know about this thing that's going on at the company. Did you see what happened at the holiday party? That was crazy. You know, I've got little anecdotes like that to tell to make myself just sound more legitimate.”
White says that, in most cases, the most difficult obstacles he encounters while red teaming are organizations with sound security policies and employees who follow those policies:
“Usually it comes down to they're just following the rules. I'm sorry, sir. I really want to help you, but our policy is this and this. And, you know, that's a good thing and a bad thing. It's a good thing for the company.
It's a bad thing for me. But also, that - what it tells me is that companies really need to be sure that their policies are sensible because the employees for the most part will follow policies. However, sometimes we find that their policies have gaps in them. And it's possible just following the policies that exist that you can exploit information from them. So you have to have good policies.”
When asked for his advice on how to avoid falling victim to social engineering, White replied that the best practice is to be diligent and remain aware of the circumstances. When the company’s policy is unclear, employees should follow up on the situation and make sure others are informed, rather than letting someone into the office based on trust.
“That's why this whole social engineering works in the first place,” he explains, “It's human nature to want to help people.” One of the best ways to increase employees’ awareness is through interactive training that allows them to face social engineering practices in a safe environment before they encounter it in the real world. Hacking Humans has the story:
https://thecyberwire.com/podcasts/cw-podcasts-hh-2018-08-30.html
Want to get the best pen-testers in the world? Hire Kevin Mitnick's Ghost Team:
https://www.mitnicksecurity.com/security/information/penetration-testing
Red teaming starts with research. So does social engineering. Red teaming is the practice of thinking and acting like an attacker to test an organization’s defenses, according to security consultant and penetration tester Justin White.
White recently spoke with Joe Carrigan for the CyberWire’s Hacking Humans podcast, where he explained the type of work he does as a professional red teamer. White defines red teaming as an “object-driven security assessment penetration test that's very broadly scoped,” which typically involves a physical break-in and using social engineering tactics to manipulate employees.
The first step in this process is open-source intelligence gathering, where White and his team will scour the Internet, particularly social media, for information about the company and its employees. White will then use this information to ingratiate himself with the company’s employees and win their trust.
“I'm always just trying to get little bits of information from different individuals that I can take and pivot to other individuals or other places. And I can use that to my advantage to sound more convincing that I am who I say I am or I'm here to do what I said to do because, you know, I know this name.
I know about this thing that's going on at the company. Did you see what happened at the holiday party? That was crazy. You know, I've got little anecdotes like that to tell to make myself just sound more legitimate.”
White says that, in most cases, the most difficult obstacles he encounters while red teaming are organizations with sound security policies and employees who follow those policies:
“Usually it comes down to they're just following the rules. I'm sorry, sir. I really want to help you, but our policy is this and this. And, you know, that's a good thing and a bad thing. It's a good thing for the company.
It's a bad thing for me. But also, that - what it tells me is that companies really need to be sure that their policies are sensible because the employees for the most part will follow policies. However, sometimes we find that their policies have gaps in them. And it's possible just following the policies that exist that you can exploit information from them. So you have to have good policies.”
When asked for his advice on how to avoid falling victim to social engineering, White replied that the best practice is to be diligent and remain aware of the circumstances. When the company’s policy is unclear, employees should follow up on the situation and make sure others are informed, rather than letting someone into the office based on trust.
“That's why this whole social engineering works in the first place,” he explains, “It's human nature to want to help people.” One of the best ways to increase employees’ awareness is through interactive training that allows them to face social engineering practices in a safe environment before they encounter it in the real world. Hacking Humans has the story:
https://thecyberwire.com/podcasts/cw-podcasts-hh-2018-08-30.html
Want to get the best pen-testers in the world? Hire Kevin Mitnick's Ghost Team:
https://www.mitnicksecurity.com/security/information/penetration-testing
What KnowBe4 Customers Say
"So far we are really impressed with the product and the support/attention of your staff. It was challenging to get non-technical managers to see this as a training program and not an audit before we actually started the program.
We had our quarterly IT steering committee meeting last week and it was awesome to see everyone in the room including the CEO start to light up with what this product can do for us. Thanks.
- E.G. Chief Information Officer, VP
"Thank you very much for following up. We've been using the phishing service as well as the training content. I have been very happy with the service and quality of the content as well as the account executives I deal with. I do appreciate them checking in with me monthly as it helps with increasing my engagement with the solution and ensures I get exposed to new features and content.
We are also a Compliance Manager customer and I have been very happy with that as well. We have really started to dive into it and plan to expand its use and look forward to the release of the Risk Management tool.
I've also been told that a vendor management solution is on the roadmap and look forward to seeing what that has to offer. We implemented a vendor management solution here about six months ago and the more time I spend in it, the less happy with the purchase I am.
We've been very pleased with the product and I've shared that with my peers on more than one occasion. I'm always happy to see a locally based organization do well, and from everything I've seen and read, your organization is on the right track. Thank you again for the follow-up." - P.M., Director of IT Security
PS, If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
https://www.gartner.com/reviews/market/security-awareness-computer-based-training
"So far we are really impressed with the product and the support/attention of your staff. It was challenging to get non-technical managers to see this as a training program and not an audit before we actually started the program.
We had our quarterly IT steering committee meeting last week and it was awesome to see everyone in the room including the CEO start to light up with what this product can do for us. Thanks.
- E.G. Chief Information Officer, VP
"Thank you very much for following up. We've been using the phishing service as well as the training content. I have been very happy with the service and quality of the content as well as the account executives I deal with. I do appreciate them checking in with me monthly as it helps with increasing my engagement with the solution and ensures I get exposed to new features and content.
We are also a Compliance Manager customer and I have been very happy with that as well. We have really started to dive into it and plan to expand its use and look forward to the release of the Risk Management tool.
I've also been told that a vendor management solution is on the roadmap and look forward to seeing what that has to offer. We implemented a vendor management solution here about six months ago and the more time I spend in it, the less happy with the purchase I am.
We've been very pleased with the product and I've shared that with my peers on more than one occasion. I'm always happy to see a locally based organization do well, and from everything I've seen and read, your organization is on the right track. Thank you again for the follow-up." - P.M., Director of IT Security
PS, If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
https://www.gartner.com/reviews/market/security-awareness-computer-based-training
The 10 Interesting News Items This Week
- Wanted: Data Breach Risk Assessments. Now here is a great new concept!:
https://www.csoonline.com/article/3304286/data-breach/data-risk-ratings-because-not-all-data-breaches-are-equal.html - Cyber attacks cost German industry almost $50 billion. Study:
http://www.oann.com/cyber-attacks-cost-german-industry-almost-50-billion-study/ - Phished credentials caused twice as many breaches than malware in the past year:
https://www.helpnetsecurity.com/2018/09/13/phished-credentials/ - Making an Impact With Security Awareness Training: Continuous Contextual Content:
http://securosis.com/blog/14945 - KnowBe4 Wins Channelnomics Security Award for Best Security Training:
https://www.knowbe4.com/press/knowbe4-wins-channelnomics-security-award-for-best-security-training - Understanding Russian Information Operations:
https://www.afcea.org/content/understanding-russian-information-operations - The Trump administration hopes to change the ‘entire ecosystem’ of cybersecurity norms:
https://www.fifthdomain.com/civilian/dhs/2018/09/07/the-trump-administration-hopes-to-change-the-entire-ecosystem-of-cybersecurity-norms/ - Can there be such a thing as a "cyber moonshot?":
https://thecyberwire.com/events/9thBillCSSummit/can-there-be-such-a-thin-as-a-cyber-moonshot.html - How Hackers Slipped by British Airways' Defenses:
https://www.wired.com/story/british-airways-hack-detaeils/ - An EU copyright bill could force YouTube-style filtering across the Web:
https://arstechnica.com/tech-policy/2018/09/an-eu-copyright-bill-could-force-youtube-style-filtering-across-the-web/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- Weather Channel reporter acts like hurricane Florence is about to blow him over... while two guys casually stroll by in the background. EPIC FAIL:
https://www.flixxy.com/fake-news-on-the-weather-channel.htm?utm_source=4
- Here is how to do it right. Check out that fantastic CGI virtual weather!
https://www.inverse.com/article/49022-how-the-tech-in-the-viral-weather-channel-graphic-will-change-newscasting
- [VIDEO] How Easy/Fast It Is To Crack Your Domain Admin Password:
https://www.youtube.com/watch?v=K-96JmC2AkE&feature=youtu.be
- Why We Say 'OK'. How a cheesy joke from the 1830s became the most widely spoken word in the world:
https://www.flixxy.com/why-we-say-ok.htm?utm_source=4
- This Rust-Wrapped Dodge Challenger SRT Hellcat Is Making Me Have a True Existential Debate:
https://jalopnik.com/this-rust-wrapped-dodge-challenger-srt-hellcat-is-makin-1828859170
- Recently Digitized Journals Grant Visitors Access to Leonardo da Vinci’s Detailed Engineering Schematics and Musings:
https://www.thisiscolossal.com/2018/09/recently-digitized-journals-by-leonardo-da-vinci/
- You Can Drink Champagne In Space—Yes, Really:
https://www.wired.com/story/you-can-drink-champagne-in-space/
- A New Robotic Fly Dips And Dives Like The Real Thing:
https://media.wired.com/clips/5b99a3b5eeaf330b6fd5a503/master/pass/inline-clip.mp4
- Why the U.S. Is Backing Killer Robots. Hmmmm. Check out the link: "Campaign to Stop Killer Robots":
https://www.popularmechanics.com/military/research/a23133118/us-ai-robots-warfare/
- World's Fastest Female Cyclist - 147 mph (236 km/h). Denise Mueller-Korenek set the women's paced bicycle speed record in 2016, pedaling to 147 miles per hour:
https://www.flixxy.com/worlds-fastest-woman-on-a-bicycle-147mph-236-kmh.htm?utm_source=4 - Data Science Glossary | Data Science Blog:
https://dimensionless.in/data-science-glossary/
