CyberheistNews Vol 8 #5 Scam Of The Week: "Hey Did You See That Fake AI Porn Movie Of Yourself?"




CyberheistNews Vol 8 #05
Scam Of The Week: "Hey Did You See That Fake AI Porn Movie Of Yourself?"

Heads-up. I am sorry to have to bring up a very distasteful topic, but in the very near future your users will get emails with something close to the ultimate click-bait, luring them to see an AI-generated porn video starring... themselves.

Forget about fake news. Its been all over Reddit the last month, we are now in the age of fake porn.

It's possible to near-seamlessly stitch anybody's face onto existing porn videos like Emma Watson’s face on an actress’s nude body. Motherboard has a NSFW post covering this.

Now, Photoshop has been around for years, and the idea is not new, but AI has brought it technically to a whole new level, and ethically lower than ever before.

Since December, production of AI-assisted fake porn has “exploded,” Motherboard reports. Thousands of people are doing it, and the results are ever more difficult to spot as fakes.

You don’t need expertise with sophisticated AI anymore. A redditor called deepfakeapp created code named FakeApp he built to be used by those without computer science training.

The Porn AI Genie is out of the bottle

So here is how the bad guys are going to use this. Raise dedicated high-powered graphics servers using AI code to mass-generate fake short clips, using pictures from social media, hosted on sites with Exploit Kits, and send spear phishing attacks to high-risk targets like people in HR, Accounting and C-levels.

The spear phishing attacks are going to have a highly suggestive or embarrassing picture of the target, and the "only thing" they need to do to see it is click on the Play Icon.

A good number are going to initially fall for this social engineering tactic. The combo of both the shock value and trying to prevent a negative consequence can be close to overwhelming, exactly the effect the bad guys are trying to create and manipulate someone into a click.

And in yet another case where tech is ahead of the law and humanities, these videos are actually not even illegal, despite the humiliation it can bring. WIRED has a new post that covers the legal angle.

 suggest you consider sending this email to your employees, friends and family. You want to run this by HR and Legal, and get management buy-in before you send because of the very controversial nature of this threat. You're welcome to copy/paste/edit:
[IMPORTANT PHISHING WARNING] I am sorry to have to bring up a very distasteful topic, but criminals on the internet are expected to soon come out with a new wave of phishing attacks that are highly inappropriate.

It was always possible to use Photoshop and put anyone's face on a nude body. But now technology has advanced to the point where this is possible with video as well. You can imagine how this can be misused, and fake pornography has exploded on the scene.

Bad guys are going to use this to manipulate innocent people and shock them to click on a video link in a phishing email, trying to prevent possibly very negative consequences if co-workers, friends and family might "find out, or might see".

DON'T FALL FOR IT. If one of these inappropriate phishing emails makes it in your inbox, DO NOT CLICK and follow the normal IT procedure to report malicious emails like this.
This is also posted at the KnowBe4 blog, and has links to topics mentioned:
https://blog.knowbe4.com/phishing-alert-hey-did-you-see-that-fake-ai-porn-movie-of-yourself

Unfortunately, it's not getting any better on the net. I suggest two things right away.
    1. Identify which three apps in your organization are highest on the "successfully hacked" list due to vulnerabilities and implement a weapons-grade patching process for those apps.

    2. Step your users through new-school security awareness training. They need to be on their toes with security top of mind at all times.
Microsoft Sounds Alarm on "Rapid Cyberattacks"

Microsoft security experts have the opinion that Petya and WannaCrypt are the bellwether representatives of a dangerous new category of cyberattacks that emerged in force in 2017.

In a blog post Tuesday, Mark Simos, lead cybersecurity architect for the Microsoft Enterprise Cybersecurity Group, wrote the two attacks "reset our expectations" for how bad a cyberattack can be in terms of speed and scope of damage.

Simos called both Petya and WannaCrypt "rapid cyberattacks." Precursors were Nimda and the SLQ slammer which took just 10 minutes in 2003 to wreak havoc across the globe.

As a definition for this class of attacks, Simos wrote, "Rapid cyberattacks are fast, automated, and disruptive -- setting them apart from the targeted data theft attacks and various commodity attacks, including commodity ransomware, that security programs typically encounter."

Both Petya and WannaCrypt exploited vulnerabilities in Windows that were not patched in time. Focusing on Petya, Simos said that particular rapid cyberattack surprised defenders in four ways:
  1. It initially used a supply-chain app as the infection vector
  2. Petya employed multiple propagation techniques
  3. It moved across networks very quickly
  4. Finally, the lack of an apparent ransom motive made the malware destructive
Simos and Jim Moeller, principal consultant for Cyber Security at Microsoft, address the issues in an on-demand webinar called "Protect Against Rapid Cyberattacks (Petya, WannaCrypt, and similar).":
https://info.microsoft.com/en-us-Resources-ProtectAgainstRapidCyberattacksPetyaWannaCryptandsimilar-OnDemandRegistration.html
New Tax Season, but the Same W-2 Spear Phishing Scam

I suggest you forward this article to your in-house counsel or your lawyers.

The legal site Lexology warned: "With a new tax season approaching, companies should be vigilant in guarding against criminals attempting to obtain sensitive information through a variety of scams.

Last month, the IRS issued an alert warning consumers of an email scam targeting Hotmail users that purported to be a request from the IRS for sensitive information. Although this scam targeted consumers individually, the bigger prize comes from targeting organizations.

According to the IRS, the number of businesses, public schools, universities, tribal governments and nonprofits victimized by W-2 scams increased to 200 in 2017 from 50 in 2016. Those 200 victims translated into several hundred thousand employees whose sensitive data was stolen.

In some cases, the criminals requested both the W-2 information and a wire transfer. Once the scammers obtain copies of W-2s, they can move quickly to file fraudulent tax returns that could mirror the actual income received by employees – making the fraud more difficult to detect.""

Step those users through new-school security awareness training. More at Lexology:
https://www.lexology.com/library/detail.aspx?g=1bb0cc84-49f4-4e93-9a53-df29f0ed58bd
Don’t Miss the February Live Demo: Simulated Phishing and Awareness Training

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, February 7, 2018, at 2:00 p.m. (EST) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
  • NEW Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting.
  • NEW see our latest feature: Security Roles with granular permissions
  • Customized Automated Security Awareness Program creates a fully mature training program in just a few minutes!
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Reporting to watch your Phish-prone percentage drop, with great ROI.
Find out how 15,000+ organizations have mobilized their end-users as their last line of defense.

Register Now: https://attendee.gotowebinar.com/register/7440700137917507075?source=CHN
Expose Your Compromised Users for a Chance to Win an XBOX

Did you know that many of the email addresses and full credentials of your organization are exposed on the internet and easy for cybercriminals to find?

With that email attack surface, they can launch social engineering, spear phishing and ransomware attacks on your organization.

KnowBe4 can help you find out if this is the case with our complimentary Email Exposure Check Pro and enter you for a chance to win an awesome XBOX One X at the same time.

The NEW Email Exposure Check Pro (EEC Pro) identifies the at-risk users in your organization by crawling business social media information and hundreds of breach databases.

And the best thing is, there is no charge, and you will get your EEC Pro report in your inbox in just a few minutes.

Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless steel lock-pick business card.

Getting your EEC Pro delivered as a PDF in your inbox is often an eye-opening discovery. Register now!
https://info.knowbe4.com/eecpro-sweepstakes-012018

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Two possibilities exist: Either we are alone in the Universe, or we are not.
Both are equally terrifying." 
- Arthur C Clarke

"It is far better to be alone, than to be in bad company." - George Washington



Thanks for reading CyberheistNews
Security News
Alert: Healthcare Is Actively Targeted with Ransomware Attacks

Healthcare organizations, including the major electronic records provider Allscripts, have recently come under successful ransomware attack. SamSam ransomware has figured prominently in recent attacks, the increased rate of which suggests heightened criminal attention to the healthcare sector.

One of the higher profile victims, Hancock Health, a hospital system in Indiana, paid its attackers $50,000 to get rid of them and it did so despite having what have been characterized as effective backups.

The disruption of a system that requires high availability can make it too much trouble to fight the attackers off, which is apparently what happened at Hancock. Allscripts has been fairly tight-lipped about the nature of its attack, but it had restored its systems by the middle of last week.

How the infection propagated isn't yet known, but healthcare providers should be on the alert: someone's targeting them. Dark Reading has a summary of the incidents:
https://www.darkreading.com/attacks-breaches/ransomware-actors-cut-loose-on-health-care-organizations/d/d-id/1330901
Live Webinar: Making Awareness Stick, Secrets to a Successful Security Awareness Training Program

With 91% of data breaches being the result of human error, security leaders, auditors, and regulators increasingly recognize that a more intentional focus on the human side of security is critical to the protection of organizations. However, organizations have been struggling with and debating the effectiveness of traditional security awareness and training.

Join our guest, Forrester Senior Analyst, Nick Hayes and KnowBe4's Chief Evangelist & Strategy Officer, Perry Carpenter, for this webinar "Making Awareness Stick: Secrets to a Successful Security Awareness Training Program" as they share results-focused strategies and practical insight on how to build a world-class program.

Date / Time: Tuesday, February 20, 2018, at 2:00 PM EST

Register Now:
https://attendee.gotowebinar.com/register/2312075428652262659?source=CHN
Why Traditional Email Security Fails to Detect Credential Phishing Attacks

Excellent post at CSO, explaining the most modern versions of credentials phish and how only AI and security awareness training can block them:

"Attackers are now impersonating popular web services like Microsoft Outlook, DocuSign, and Google Docs to trick you to freely give up your credentials.

We recently discussed how cybercriminals target mid to low level employees in multi-stage spear phishing campaigns where attackers will impersonate your colleague, partner, or customer via email. The intention is often to steal your credentials in order to successfully commit fraud against you.

Now, we are seeing an extremely large volume of web service impersonation email threats, where attackers cunningly impersonate popular web services such as Microsoft Outlook, Docusign and Google Docs to entice victims into logging into fake websites and ultimately give up their credentials.

Evolving sly cyber fraud tactics

This rise in web service impersonation attacks involves placing a link to a web page that prompts employees to log in; however, they are actually sacrificing their credentials to criminals instead of logging in.

From there, when the unsuspecting victim clicks on the link and is directed to a false sign in page, they will provide attackers with their usernames and password without knowing they had done anything out of the ordinary.

After stealing the credentials, the attackers will typically use them to remotely log into the user’s Office 365 or other email accounts and use this as a launching point for other spear phishing attacks. At this point, it becomes even more difficult to detect attackers at work because they will send additional emails to other employees or external partners, trying to entice those recipients to click on a link or transfer money to a fraudulent account.

Traditional email security fails to detect this attack

Unfortunately, these web services impersonation email attacks are not detected by existing email security solutions for several reasons:
  • The links used are typically zero-day where a unique link is sent to each recipient. They never appear on any security blacklists.
  • In many cases, the links included in messages lead to a legitimate website, where the attacker has maliciously inserted a sign in page, and the domain and IP reputation will appear legitimate.
  • Link protection technologies such as “safe links” will not protect against these links. Since the link just contains a sign in page and do not download any malicious viruses, the user will follow the “safe link” and will still enter the user name and password.
Read the full article here:
https://www.csoonline.com/article/3250294/identity-management/cybercriminals-impersonate-outlook-and-docusign-to-steal-your-identity.html
New Phishing Scam Combines FedEx and Google Drive to Lure Victims

Several universities and more than 20 companies have been hit with malware whose creators are using several layers of subterfuge to camouflage their phishing attack by taking advantage of a few trusted brand names.

The new scam was uncovered by Comodo and eventually leads to an info stealer malware being installed. So far it has hit five universities and 23 companies.

An attack begins with an email disguised as a FedEx email saying a package could not be delivered and asks the recipient/victim to click on a link and then print out a mailing label that can be brought to a local FedEx office enabling the package to be picked up.

The next layer of obfuscation is in the link provided. The link appears to lead to a Google Drive account and even includes HTTPS and the word secure. Once the URL is clicked a malicious file labeled Lebalcopy.exe is downloaded.

“Actually, how can anyone know not to trust something with “google.com” in the address bar? But… the reality stings. For many, it's hard to believe, but skilled cybercriminals use drive.google.com for placing their phishing malware.

Even though on the surface the attack is hard to spot, there are indicators.
  • the presence of .exe file in %temp% folder
  • the presence of tmp.exe file in %temp% folder
  • the presence of WinNtBackend-2955724792077800.tmp.exe file in %temp% folder
Once installed and active the info stealer removes private data from the victim's browser, including cookies and credentials and looks for information on the persons email and instant messaging apps. Other content removed is credentials for FTP sites the user has and also looks for cryptocurrency wallets. Source:
https://www.scmagazine.com/new-phishing-scam-combines-fedex-and-google-drive-to-lure-victims/article/739575/
New Open Source Ransomware Strain

The open source ransomware project desuCrypt has spawned a new strain of ransomware with two variants known by their extensions, [dot]insane and [dot]DEUSCRYPT.

Both variants are being actively distributed in the wild, and phishing is the typical distribution vector. In this case there's a very good reason not to pay the ransom the criminals demand: a decryptor has been developed by a white hat that will do the job for both variants.

It's better, of course, not to succumb to the infection in the first place, but if some of your employees have, you should be able to help them recover.

Bleeping Computer has the story, along with an account of where you can obtain the decryptors should you need them:
https://www.bleepingcomputer.com/news/security/desucrypt-ransomware-in-the-wild-with-deuscrypt-and-decryptable-insane-variants/
Similar URLs, Different Alphabets

You've probably trained your employees about the importance of looking at the links they receive before they click them, if click they must. The URL should match what you expect to see when you mouse over it, for example.

There is, however, a way the partially wary can still be tripped up. Homographic urls, that is, urls that look quite a bit like the legitimate ones they spoof, are being observed in the wild.

Farsight Security has reported how Internationalized Domain Names (IDNs) can use non-Latin characters from, say the Greek or Cyrillic alphabets, to craft sites that impersonate urls using the more familiar Roman characters.

Spoofed sites make for more persuasive phishing. Thus a Cyrillic soft sign "ь" for example, which looks at a glance like a sans-serif lower-case "b," can be used to spell "faceьook," which might fool the casual eyes of users normally alert to the urls they follow.

Other examples are easy to come up with. Companies whose sites have been impersonated in this way include Apple, Adobe, Amazon, Bank of America, Cisco, Coinbase, Credit Suisse, eBay, Bittrex, Google, Microsoft, Netflix, New York Times, Twitter, Walmart, Yahoo, Wikipedia, YouTube, and Yandex.

There are a few things you can do to protect your organization, like educating people to the risks of communications that ask you to "log in" and "verify your information."

Any organization that interacts with a lot of people online is liable to be targeted by homographic impersonators. One thing you might consider to protect your customers is a bit of prevention: consider registering domains that are homographs of yours.

The most common source of homographs is the Cyrillic alphabet, but don't neglect special characters found in many of the languages that use the basic Roman alphabet, either. Silicon has the story here:
http://www.silicon.co.uk/security/study-finds-top-sites-impersonated-international-characters-227423
Spritecoin Is No Coin at All

The current gold-rush atmosphere surrounding everything to do with cryptocurrency has been a good one for scammers. One fraud making the rounds lands a flurry of punches on its victims. It begins with a come-on to install a wallet for "Spritecoin," a new cryptocurrency.

If you bite on its offer to "install the blockchain," the Spritecoin site will, as it pretends to download the wallet, exfiltrate login credentials from your Chrome and Firefox credential stores (left hook), then encrypt your files (right cross) and demand 0.3 Monero for a decryption key.

If you pay the ransom, you're down for the count, because the decryption key also installs a malware payload that gives the attacker persistence in your device. What they do with that persistence isn't fully understood, but at the very least, say the Fortinet researchers who are studying Spritecoin, "it does have the capability to activate web cameras and parse certificates and keys that will likely leave the victim more compromised than before."

Another good reason not to pay the ransom, but an even better reason not to click in the first place. See Help Net Security for more on the Spritecoin scam:
https://www.helpnetsecurity.com/2018/01/23/fake-cryptocurrency-wallet-carries-ransomware/
Holiday Phishing

If it seems too good to be true, it probably is. You can anticipate trends in phishing and social engineering by looking at the calendar. Akamai took a look at phishing during the Christmas season and saw a spike in the use of holiday bonus and gift news as phishbait.

Over six weeks they tracked thirty distinct domains with the prefix "holidaybonus." All of them hawked a chance to win some expensive prize that would appeal to technophiles: an iPhone 8, a PlayStation 4, a Galaxy S8, and so on.

This was, of course, phishing, rendered more plausible by its timing. Christmas and New Year's Day have come and gone, but another big phishing season will open soon, and by that we mean Valentine's Day. The lovelorn will be particularly vulnerable.

So will procrastinators in relationships. A timely reminder of the dangers of phishing would help your people get through St. Valentine's Day without being the victims of a virtual massacre. KnowBe4 has a wealth of simulated phishing templates you can use to inoculate your users.

See Akamai's blog for an account of what they observed during Christmas:
https://blogs.akamai.com/2018/01/gone-phishing-for-the-holidays.html
M&A Social Engineering

Excellent ammo you can send to your C-level execs if they are planning to acquire a competitor or are looking at an exit strategy down the line.

Small and mid-sized businesses undergoing a merger or an acquisition are prime targets for phishing, spear phishing, and other social engineering approaches.

An M&A period of due diligence is a particularly sensitive time. Not only will employees face heightened risk of social engineering by unscrupulous parties interested in obtaining information about the coming transaction, but a business's resistance to social engineering is itself a matter of due diligence.

The parties to a merger or acquisition are now devoting considerable attention to the resilience of the company they're considering.

They expect a well-thought-out security program, one that contains of course appropriate technical security measures, but also other indispensable ways of mitigating risk. An effective program for training and educating employees to avoid falling for social engineering is something investors and acquiring companies are looking for. The Middle Market has some thoughts on the matter:
https://www.themiddlemarket.com/opinion/understanding-risk-management-and-cyber-insurance-risks-of-target-companies
Interesting News Items This Week

MoneroPay Malware Pretends to Be a Cryptocurrency Wallet:
https://www.hackread.com/moneropay-virus-pretends-cryptocurrency-wallet/

Hackers steal almost $400M from cryptocurrency ICOs:
http://www.zdnet.com/article/hackers-steal-almost-400-million-from-cryptocurrency-icos/

British teenager hacked top ranking US officials using social engineering:
https://www.helpnetsecurity.com/2018/01/22/hack-social-engineering/

Just Keep Swimming: How to Avoid Phishing on Social Media:
https://securityboulevard.com/2018/01/just-keep-swimming-how-to-avoid-phishing-on-social-media/

GDPR coming in 4 months, but only 38% of UK businesses are aware of it:
https://www.techrepublic.com/article/gdpr-coming-in-4-months-but-only-38-of-uk-businesses-are-aware-of-it/#ftag=RSS56d97e7

Cyber Attacks Push Corporate Fraud To All-Time High:
http://www.informationsecuritybuzz.com/expert-comments/cyber-attacks-push-corporate-fraud-time-high/

5 Clever Phishing Scams Trying to Steal Your Personal Information:
https://tech.co/clever-phishing-scams-steal-information-2018-01

Critical Flaw in All Blizzard Games Could Let Hackers Hijack Millions of PCs:
https://thehackernews.com/2018/01/dns-rebinding-attack-hacking.html

Allscripts hit with a class-action lawsuit one week after ransomware attack:
https://www.fiercehealthcare.com/ehr/allscripts-ransomware-lawsuit-surfside-non-surgical-orthopedics-cybersecurity

Ransomware Detections Up 90% for Businesses in 2017:
https://www.darkreading.com/endpoint/ransomware-detections-up-90--for-businesses-in-2017/d/d-id/1330909

The story of Maersk battle and recovery from Notpetya; reinstalling 45K PCs and 4K servers:
https://www.bleepingcomputer.com/news/security/maersk-reinstalled-45-000-pcs-and-4-000-servers-to-recover-from-notpetya-attack/

Report: Number of cyber incidents doubled in 2017, yet 93 percent could easily have been prevented:
https://www.scmagazine.com/report-number-of-cyber-incidents-doubled-in-2017-yet-93-percent-could-easily-have-been-prevented/article/739932/

Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • Tesla Semi caught cruisin' California. It's just a short video, but it's a pretty solid look at Tesla's forthcoming electric semi:
      https://youtu.be/kCH9GU-SAY0

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews