CyberheistNews Vol 8 #47 [Heads-Up] Bad Guys Are Now Taking Over Email Inboxes Without Phishing Attacks

CyberheistNews Vol 8 #47
[Heads-Up] Bad Guys Are Now Taking Over Email Inboxes Without Phishing Attacks

I found a great article in SecurityWeek by Alastair Paterson, the CEO of Digital Shadows. Could not have said it better myself, and he alerted everyone about an attack vector that was even a new one to me: email archives.

At the end, he suggests 7 security measures to mitigate these risks. You should really check out how your own organization is doing with those.

"We’ve all heard the proverb: Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime. Well now, threat actors don’t even have to exert the effort to phish to land business email accounts.

According to an alert published earlier this year by the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12 billion in losses since October 2013. Traditionally, social engineering and intrusion techniques have been the most common ways to gain access to business email accounts and dupe individuals to wire funds to an attacker-controlled account. These methods play out as follows:
    • Social engineering and email spoofing: Attackers will use social engineering to pose as a colleague or business partner and send fake requests for information or the transfer of funds. These emails can be quite convincing as the attacker makes a significant effort to identify an appropriate victim and register a fake domain, so that at first glance the email appears to belong to a colleague or supplier.

    • Account takeover: Here, attackers use information-stealing malware and keyloggers to gain access to and hijack a corporate email account, which they then use to make fraudulent requests to colleagues, accounting departments and suppliers. They can also alter mailbox rules so that the victim’s email messages are forwarded to the attacker, or emails sent by the attacker are deleted from the list of sent emails.
These techniques have served threat actors well for quite some time. But now we are seeing new, more expeditious methods emerge to gain access to business email accounts. Compromised credentials being offered on criminal forums, exposed through third-party compromises, or vulnerable through misconfigured backups and file sharing services, make the opportunity to profit from BEC easier than ever.

Email inboxes are also being used not just to request wire transfers, but to steal financially-sensitive information stored within these accounts or to request information from other employees. With declining barriers to entry for BEC, and more ways to monetize this type of fraud, we can expect the losses to continue to rise and perhaps even accelerate in the near term.

Here’s how these alternative methods work:
    1. Paying for access. It’s common for accounts to be shared and sold across criminal forums, and the emails of finance departments and CEO/CFOs are no exception. It’s even possible to outsource this work to online actors who will acquire company credentials for a percentage of earnings or a set fee beginning as low as $150.

    2. Getting lucky with previously compromised credentials. As I’ve discussed before, individuals will often reuse passwords across multiple accounts. In our research we’ve detected more than 33,000 finance department email addresses exposed within our own third-party data breach repository, 83 percent of which had passwords associated. With many email and password combinations of finance department email accounts already compromised, cybercriminals can get lucky.

    3. Searching across misconfigured archives and file stores. Inboxes, particularly those of finance departments and CEO/CFOs, are replete with financially-sensitive information such as contract scans, purchase orders, and payroll and tax documents. This information can be used for fraud or re-sold on forums and marketplaces.
The sad reality is that there’s no need to go to a dark web market when sensitive data is available for free on the open web. Employees and contractors sometimes turn to easy, rather than secure, ways of archiving their emails. We identified that more than 12.5 million email archive files and 50,000 emails that contained “invoice”, “payment” or “purchase order ” have been exposed due to unauthenticated or misconfigured file stores.
Regardless of the method attackers use to perform a BEC scam, the following seven security measures can help to mitigate the risks. Continued at the KnowBe4 blog:
As You Read This, It's Cyber Monday. How to Avoid Security Threats

InfoSecBuzz asked a number of security experts for their advice on the top security threats and how to avoid them. These are specialists from Alienvault, Cylance, Cybereason, F5 Networks, Kaspersky, Tripwire, and more.

Quite a few warned against the same things, so here is a quick summary of the Top 10 security threats for users and Top 5 for IT pros, with a link to the full article at the end.

I would copy and paste the section for your users, and email it to them as a reminder early in the day!

Here are the lists at the KnowBe4 blog, please forward this link to any friends, family or peers you think that might need it:
Will You Get Spoofed Over the Holidays? Find out for a Chance to Win...

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against unless your users are highly ‘security awareness’ trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. Plus if you’re in the US or Canada, you'll be entered for a chance to win a $500 Amazon Gift Card (just in time for the holidays)!

Find out now if your email server is configured correctly, many are not.

Try to Spoof Me!
Live Demo: Simulated Phishing and Security Awareness Training

Old-school awareness training does not hack it anymore. Your email filters have an average 10.5-15% failure rate; you need a strong human firewall as your last line of defense.

Join us, Wednesday, December 5, 2018, at 2:00 p.m. (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • NEW Virtual Risk Officer shows you the Risk Score by employee, group, and your whole organization.
  • NEW Advanced Reporting on 60+ key awareness training indicators.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 21,000+ organizations have mobilized their end-users as their human firewall.

Save My Spot!
Free eBook Cyberheist: The BIGGEST Financial Threat Facing American Businesses

Cybercrime has gone pro over the last 10 years. Attacks have become much more sophisticated and intense. The bad guys are now going after your employees. They bypass your firewall/antivirus security software and social engineer your employees to click on a malicious link or open an infected attachment. From that point forward they hack into your network and put keyloggers on accounting systems.

You can guess the rest. A few days later the organization’s bank accounts are empty, or valuable corporate intellectual property is stolen. Another cyberheist victim. It’s happening right now, as you read this. The Cyberheist eBook recently was fully updated and written for the IT team and owners / management of Small and Medium Enterprise. Want to read this bestseller?

As a newsletter subscriber, you can get this as a complimentary full 250-page eBook!

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Check out the *new* position that KnowBe4 has in the new Gartner Magic Quadrant!
Quotes of the Week
"Our prime purpose in this life is to help others. And if you can't help them, at least don't hurt them."
- Dalai Lama

"First they ignore you, then they laugh at you, then they fight you, then you win." - Mahatma Gandhi

Thanks for reading CyberheistNews
Security News
Phishing Accounts for 50% of All Fraud Attacks [InfoGraphic]

According to the latest research from RSA, attacks intent on committing financial fraud most frequently begin with tried and true phishing.

Financial fraud is a lucrative business for cybercriminals. Running the gambit from targeting banks directly to social engineering used to giving up online credentials or a credit card, there are a myriad of ways to take advantage of the unwitting. No matter the method, financial fraud attacks need to start with manipulating an individual somehow.

RSA’s just-released Q3 Fraud Report shows a 70% rise in phishing attack volume making phishing the number 1 attack method for financial fraud attacks. This increase highlights the simplicity and effectiveness of phishing (via email, phone call or SMS text, according to the report).

The work necessary to fool an individual – given the ability for attackers to hit millions of email recipients at once – is minimal when compared to the financial take on the other end of the scam.

Some interesting details in the report include:
  • Canada, the United States, and Netherlands topped the list of targeted countries
  • 1 in 9 attacks targeted Latin America
  • The United States hosted 48% of the attacks last quarter
  • Mobile Browser-based attacks increased 16% over last quarter
Cybercriminals have their sights firmly set on attacks that yield the most revenue for their organization. Financial Fraud represents one of the clear paths to pulling in sizable sums each quarter. Phishing remains at the epicenter of scams, providing the easiest means to connect cybercriminals with users with their defenses down, willing to participate in the scam.

Here is an infographic that shows traditional crime vs cybercrime, interesting for your users too:
"Events or Disruptive Changes" Create Phishing Opportunities

Major business events are often followed by social engineering attacks. The merger of two Canadian bank-owned co-operatives, Interact Association and Acxsys Corporation combined two companies that respectively ran an interbank debit card network and e-transfer online services.

After the merger became public knowledge, phishing attacks against targets related to the banks spiked. The attackers hoped to harvest usernames and passwords by claiming they were from the Canadian Revenue Agency and requesting confirmation of transactions and “verification” of account information.

Criminals also engaged in a related smishing campaign, sending text messages asking for account information. What makes Interact so appealing to cyber criminals is that compromised debit cards can drain “cash” quickly from the owners’ account. The payoff is immediate.

There’s no need to monetize the hack by, for example, selling account numbers. The merger took place in February and the attacks have continued for months.

RSA’s quarterly fraud report noted that during the 3rd quarter 52% of the 19,000 phishing emails detected worldwide were targeted at Canada. The United States came in second.

Angel Grant, director of RSA’s identity and fraud risk intelligence products, said that not all phishing emails were Interact related. She could not supply a definitive number of victims to the scam, but the fact that the phishing has continued for months indicates that the criminals are probably enjoying some success.

Grant pointed out that anytime there’s an “event or disruptive change,” cyber criminals take advantage of the confusion, excitement, or sense of urgency that follows. The Interact-Acxsys merger offered new and different electronic transfer services and therefore an attractive attack surface.

Regardless of events or disruptive change, employees in any organization should be trained to remain focused and aware of the telltale signs of phishing. But disruptive events, whether they represent good news or bad news, always represent opportunity for social engineering. Train your users. IT World Canada has the story:
CEOs Are Prime Targets for Social Engineering Attacks

CEOs can be the weakest link in an organization’s security posture, according to Mimecast’s Matthew Gardiner. Carole Theriault talked to Gardiner last week on The CyberWire’s Hacking Humans podcast, where they discussed the importance of security awareness at the top levels of a company’s management. Attackers know that if they successfully exploit or impersonate someone who has a high level of access, they instantly gain a top advantage.

“If you're going to impersonate somebody at a company, CEOs are a pretty good choice, maybe the CFO, or there's a couple other people, depending on what you're trying to do. So if you get a, in quote, ‘get an email from the CEO,’ you're much more likely to go, whoa, wait a second, you know? I got to take this seriously. I'm going to act accordingly, you know, quickly, perhaps.

But then, they're also, on the flip side, a point of attack. So if you're an attacker and you can get into the CEO's account or onto their machine, you're into the flow of the most sensitive data or information at a company.”

This type of attack highlights the broader trend of attackers preferring social engineering over technical exploits to gain access to organizations. It’s much more efficient for an attacker to trick someone into letting them in than it is to break in on their own.

“It's actually kind of hard to hack - you know, to literally, technically hack an organization that has some security controls,” explains Gardiner. “It's much easier to send in a request via email and have the user, essentially, invite them in, or do something, you know, in response to, you know, an email that says, please change your wiring instructions for our account, and pretends to be one of your vendors or customers.

There's nothing malicious, necessarily, in it. It's the - purely socially engineered.” To defend against these attacks, Gardiner recommends a combination of technical safeguards and user education to protect every surface of the organization.

“I mean, you want technical controls. You want, you know, awareness training that everyone would take, including the C-level folks. And you want, you know, the classic triumvirate - the business process to be no single point of failure.

But on your point of the CEO, a good CEO would say, I'm like everybody else. I should be beholden to the security controls that everybody else is - and probably even some more - but at least what everybody else is.”

Gardiner believes that, while organizations have made progress over the years, security is a never-ending process that can always be improved upon. “The understanding and awareness is much higher than it's ever been, but it's still complex. And that's, you know, sort of the frustrating part of security.

There is no absolute answer. You just got to improve in all the three areas, you know - the tech, the people and the business processes - and make it all risk-based.” C-suite employees need to understand that they are among the most appealing targets for social engineering attacks. New-school, interactive security awareness training can give employees at every level of your organization an understanding of the type of attacks they are most likely to face.
The CyberWire has the story:
Dutch Audit Finds Microsoft Office Leaks Confidential Data

The diagnostics Microsoft Office collects from users should be a source of concern for any government CISO, according to a DPIA audit.

ComputerWeekly reported: "A report commissioned by the Dutch government has recommended disabling any settings in Microsoft Office 2016 that sends data to Microsoft servers. Dutch government users have also been advised to consider alternatives to Microsoft Office.

A Data Protection Impact Assessment (DPIA) conducted by Privacy Company for the Dutch Ministry of Security and Justice has found that Microsoft has been collecting vast amounts of personal data.

“Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook.

“Covertly, without informing people, Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded,” Privacy Company wrote in a blog post covering its findings.

While Microsoft is considered a data processor, the report warned that the way it collects data from users for diagnostics means it should be classified as a joint controller as defined in article 26 of the GDPR.

The DPIA report recommended IT administrators for Dutch government users configure the “zero exhaust” setting in Microsoft Office to prevent sensitive data from being leaked and centrally prohibit the use of Microsoft Connected Services for spell checking and language translation, as well as disabling access to SharePoint Online, OneDrive Online and the web version of Office 365 Live.

It also recommended IT administrators periodically delete the Active Directory account of some VIP users, and create new accounts for them, to ensure Microsoft deletes the historical diagnostic data.

The DPIA also urged government users to consider using a standalone deployment without Microsoft account for confidential/sensitive data. However, Microsoft has been actively pushing its software as a service (SaaS) product over on-premise Office.

But, as Computer Weekly has previously reported, with Office 2019, government users are seeing a big price hike for the on-premise version compared to the SaaS product, which effectively means government users will have to pay more to keep their sensitive data private. Blog Post with links:
What KnowBe4 Customers Say

Hi Stu, Happy as a horse in an apple orchard. Thanks for reaching out and have a great holiday! Respectfully,
S.B., Senior InfoSec Architect

Stu, thanks for reaching out. I’m definitely a happy camper and would recommend KnowBe4 to anyone. Sari and Christina have done an outstanding job helping us get set up. They are knowledgeable and easy to work with. Thanks!
- L.N., CISSP | Senior IT Manager

PS, If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
KnowBe4 Wants to Know What Keeps You up at Night!

IT Pros today have lots of security concerns such as ransomware, external attacks, data breaches and compliance mandates. Some issues you have locked down tight, while others are making you crazy!

We want to know what aspects of IT security you have covered, and which ones have you worried sick!

In this fast, 5-minute online survey, we want to hear about what issues are of great concern to you and your organization.

Hurry and take the survey now - be one of the first 500 to take the survey and have a chance to win one of several 500-dollar Amazon gift cards! (or equivalent in your local currency)

The 10 Interesting News Items This Week
    1. The newest target in political cyberattacks... campaign pocketbooks:

    2. Russia wants DNC hack lawsuit thrown out, citing international conventions, Hah!:

    3. Excellent webinar, available on-demand now: "Weaponizing AI: The Future of Cybersecurity":

    4. Should government officials complete basic cyber security training?:

    5. How To Combat Security Stress In The Workplace:

    6. APT29 Re-Emerges After 2 Years with Widespread Espionage Campaign:

    7. Report: Emotet makes phishing lures more convincing by scraping victims' emails:

    8. TrickBot’s Bigger Bag of Tricks:

    9. Motherboard asks itself: "Why Is Antivirus Software Still a Thing?":

    10. High Tail Hall data breach exposes over 400,000 furry fans:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews