CyberheistNews Vol 8 #8 Scam of the Week: Lowlife Scum Exploits Recent Florida Parkland School Shooting




CyberheistNews Vol 8 #08
Scam of the Week: Lowlife Scum Exploits Recent Florida Parkland School Shooting

Just when you think they cannot sink any lower, criminal internet scum are now exploiting the Parkland tragedy in Florida. Unfortunately, from this spot I have been warning about these lowlifes before when earlier similar incidents like this happened.

You need to remind your employees, friends and family... again.

Phishers are—and are going to be—sending scams your way, varying from blood drives to pleas for charitable contributions for victims and their families. Additional attack vectors are tweets from political propaganda bots and Russia-linked Twitter accounts about gun control.

Unfortunately, this type of scam is the worst kind of phishbait, and it is a very good idea to inoculate people before they get suckered into falling for a scam like this. I suggest you send the following short alert to as many people as you can, and you're welcome to copy/paste/edit to make this fit for your organization.

[ALERT] "Lowlife internet scum are trying to benefit from the Florida Parkland school shootings. They are now sending out phishing campaigns with topics and hashtags like Parkland, guncontrolnow, Florida, guncontrol, and Nikolas Cruz that try to trick you into clicking on a variety of links about blood drives, charitable donations, "inside" information or "exclusive" videos. Don't let them shock you into clicking on anything, or open possibly dangerous attachments you did not ask for!

Anything you receive about the Parkland shooting, be very suspicious. With this topic, think three times before you click or tap your phone. It is very possible that it is a scam, even though it might look legit or was forwarded to you by a friend -- be especially careful when it seems to come from someone you know through email, a text or social media postings because their account may be hacked.

In case you want to donate to charity, go to your usual charity by typing their name in the address bar of your browser and do not click on a link in any email. Remember, these precautions are just as important at the house as in the office, and tell your family."


It is unfortunate that we continue to have to warn against the bad guys on the internet that use these tragedies for their own benefit. For KnowBe4 customers, we have two new phishing security test templates related to this topic in the Current Events - and I strongly suggest you send one or two this week:
  • A friend has asked you to donate blood - find your nearest blood drive/blood center
  • Donations for Families of Parkland Shooting Victims - internal HR style email
Let's stay safe out there.
New Multi-Stage Word Phishing Attack Infects Users Without Using Macros

Spam distributors are using a new technique to infect users with malware, and while this phishing attack relies on having users open Word documents, it does not involve social engineering users to enable macro scripts.

This new macro-less technique is currently under active exploitation, being detected by Trustwave SpiderLabs researchers in an ongoing malware campaign.

The actual exploitation chain is detailed below and relies on a large number of resources, such as DOCX, RTF, HTA, VBScript, and PowerShell.
  • A victim receives a spam email with a DOCX file attachment.
  • Victim downloads and opens the DOCX file.
  • DOCX file contains an embedded OLE object.
  • OLE object downloads and opens an RTF (disguised as a DOC) file.
  • DOC file uses CVE-2017-11882 Office Equation Editor vulnerability.
  • Exploit code runs an MSHTA command line.
  • MSHTA command line downloads and runs an HTA file.
  • HTA file contains a VBScript that unpacks a PowerShell script.
  • PowerShell script downloads and installs the password stealer.
  • Malware steals passwords from browsers, email and FTP clients.
  • Malware uploads data to a remote server.
Patch your systems religiously and train those users within an inch of their lives. More technical details of this attack at bleepingcomputer:
https://www.bleepingcomputer.com/news/security/multi-stage-word-attack-infects-users-without-using-macros/
Forrester Live Webinar: Making Awareness Stick: Secrets to a Successful Security Awareness Training Program

With 91% of data breaches being the result of human error, security leaders, auditors, and regulators increasingly recognize that a more intentional focus on the human side of security is critical to the protection of organizations.

However, organizations have been struggling with and debating the effectiveness of traditional security awareness and training.

Join our guest, Forrester Senior Analyst, Nick Hayes, and KnowBe4's Chief Evangelist & Strategy Officer, Perry Carpenter, for this webinar "Making Awareness Stick: Secrets to a Successful Security Awareness Training Program" as they share results-focused strategies and practical insight on how to build a world-class program.

Key topics covered in this webinar:
  • Why awareness and training matters
  • Key data points to help make the case for awareness in your organization
  • Five secrets to making awareness work in 2018
  • Open Q&A with Nick and Perry
Make this the year that you refuse to settle for mediocrity. Are you ready to go all-in?

Date/Time: Tuesday, February 20th at 2:00 pm EST. Register Now:
https://attendee.gotowebinar.com/register/2312075428652262659?source=CHN
Security Awareness Training Top Priority for CISOs: Report [PDF]

SecurityWeek's Kevin Townsend wrote an excellent summary of the brand new FS-ISAC - "CISO Cybersecurity Trends Study":

"Thirty-five percent of CISOs in the financial sector consider staff training to be the top priority for cyber defense. Twenty-five percent prioritize infrastructure upgrades and network defense.

The Financial Services Information Sharing and Analysis Center (FS-ISAC) polled more than 100 of its 7,000 global members to produce the first of its planned annual CISO Cybersecurity Trends Study. ISACs are non-profit organizations, usually relevant to individual critical infrastructure sectors, designed to share threat information among their members and with relevant government agencies. They were born from Bill Clinton's 1998 Presidential Decision Directive PDD 63.

The FS-ISAC's 2018 Cybersecurity Trends Report notes a distinction in priorities based on the individual organization's reporting structure. Where CISOs report into a technical structure, such as the CIO, the priority is for infrastructure upgrades, network defense and breach prevention.

Where they report into a non-technical function, such as the COO or Legal, the priority is for staff training.

This could be as simple as CISOs prioritizing areas for which they are most likely to get funding. However, that staff training is considered the overall priority does not surprise Dr. Bret Fund, founder and CEO at SecureSet.

"I think that speaks to CISOs seeing first-hand how their largest risks of breach rest in the people component vs. the product or process components," he suggests. "Executives and Boards cannot underestimate the need for a robust security culture inside their organizations; and the way that you achieve that is through proper education and training."

Continued on the KnowBe4 with links to PDF download:
https://blog.knowbe4.com/security-awareness-training-top-priority-for-cisos-report-pdf

In a similar vein, Jon Oltsik asked what's on CISO's minds in 2018?

He said: "I’ve just begun a research project on CISO priorities in 2018. What I’m finding so far is that CISOs are increasing their focus in several areas including the following:"
  1. Business risk.
  2. The cyber supply chain.
  3. Cyber-adversaries.
  4. Data security.
  5. Security awareness training.
This is nothing new but security awareness training was often treated as a checkbox exercise in the past. Rather than simply meeting corporate governance goals, CISOs are now trying to create cybersecurity education programs that deliver measurable results.

Full article:
https://www.csoonline.com/article/3256147/security/what-s-on-cisos-minds-in-2018.html

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Live as if you were to die tomorrow. Learn as if you were to live forever." - Mahatma Gandhi

"The wisest mind has something yet to learn." - George Santayana Philosopher (1863 - 1952)



Thanks for reading CyberheistNews
Security News
Zombie Valentine

Last week the Necurs botnet showed a big spike in romance scam spam. The scam is directed mostly against men. Emails arrive from what appear to be potential Russian mail-order brides who tell the recipient that they find him "cute," or make other observations to that effect. They ask the recipient to reply to an email address different from the one they've used to send the phishing message.

Sometimes they'll refer the mark to their Facebook page, or their profile on Badoo, a large Russian dating site. Unfortunately, Veronika, Rita, and Irina are catphish. They're fictitious identities created for the purpose of deception.

IBM's X-Force says that the emails are better-written and more plausible than spam usually is, but that most recipients should be able to recognize them as scams. However quantity has a quality all its own: X-Force says Necurs has been sending more than thirty-million emails a day.

If only a fraction of the marks take the bait, the criminals can turn a nice profit. There are several ways the scammers can monetized their victims. They may induce them to send compromising, intimate photos, which they then use to blackmail the victim. They may attempt credential harvesting. In some cases they will direct them to some link that installs malware for future use.

And of course romance scams often use some advance fee fraud, where the victims are asked to pay money for, in cases like this, travel or living expenses. Awareness-trained users recognized the red flags. Train your employees to see it too. See Threatpost's account of how the romance scam worked:
https://threatpost.com/romance-scams-drive-necurs-botnet-activity-in-run-up-to-valentines-day/129897/
Trends in Identity Spoofing and Email Attacks

Spam is a mass threat. Spoofing is much lower volume. It's targeted and tailored nature makes it more plausible, and it can enjoy a higher success rate than mass spam.

Proofpoint studied email attacks in 2017 and found on the average thirteen people within any given organization were targeted. As is always the case with social engineering, the attackers play upon emotions that render us vulnerable.

Those emotions can be negative, like fear or anxiety, or positive, like trust and confidence. The most common goal of email attacks was wire transfer fraud, also known as business email compromise.

One in three of the fraudulent messages studied contained "payment" in the subject line. Seasonal variations are predictable: in the first quarter of the year there was an observed spike in "W2" usage as tax season opened. The tone of the emails varied with the persona being spoofed and its presumed relationship to the intended victim.

The voice might be commanding, demanding immediate action in an authoritative tone. Or it might be conversational, engaging the victim in a dialog to develop trust. Some scammers even built up a false email thread to lend more realism to their approach. Technical solutions like DMARC (Domain-based Message Authentication Reporting and Conformance) help, but they're only partial solutions.

The criminals adapt: sound policies backed with effective training and awareness of the threat will provide better protection than technical defenses. See Proofpoint's study here:
https://www.proofpoint.com/us/corporate-blog/post/email-fraud-attackers-grow-more-sophisticated-average-number-identities-spoofed
Try the Weak Password Test for a Chance to Win a Nintendo Switch

Are your user’s passwords…P@ssw0rd? Verizon's Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords.

Employees are the weakest link in your network security. KnowBe4's Weak Password Test checks your Active Directory for 10 different types of weak password related threats and reports any fails so that you can take action.

Plus you’ll be entered to win a Nintendo Switch! Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless steel lock-pick business card!

This will take you 5 minutes and may give you some insights you never expected!
https://info.knowbe4.com/wpt-sweepstakes-022018
New Research: Number of Microsoft Vulnerabilities Continues to Go up over the Years

The number of Microsoft vulnerabilities has more than doubled in the last five years, according to the fifth annual Microsoft Vulnerabilities Report from Avecto.

The global security software company’s analysis of all disclosed Microsoft vulnerabilities in 2017 revealed 685 vulnerabilities, showing a significant increase compared to the number disclosed in 2013 (325).

Despite being widely regarded as the most secure Windows operating system, the number of "critical" vulnerabilities in Windows 10 rose by 64% in 2017 compared to the previous year.

In total, 587 vulnerabilities were reported across Windows Vista, Windows 7, Windows 8.1/RT 8.1 and Windows 10 operating systems in 2017. This is a record high – increasing by 132% over a five-year period.

Does removing Admin Rights help?

It was found that the removal of admin rights could mitigate 80% of all Critical Microsoft vulnerabilities reported in 2017, as well as 95% of Critical vulnerabilities found in Microsoft browsers and 60% of Critical vulnerabilities in Microsoft Office products (Excel, Word, PowerPoint, Visio, Publisher and others.)

“One hundred percent security cannot be guaranteed in the cyber world,” said Dr. Eric Cole, instructor at The SANS Institute. “No matter how many safeguards you put in place, there will always be some risk. Prevention techniques like application whitelisting, removing admin access and adopting the principles of least privilege go a long way toward protecting individual users’ machines and reducing inroads to the network while not severely restricting user functionality.”

The Upshot: Five-year analysis of Windows vulnerabilities

The most significant trends include:
  • The number of reported vulnerabilities has risen 111% since 2013.
  • Number of Critical vulnerabilities has risen 60% in the same period.
  • There has been an 89% increase in Microsoft Office vulnerabilities and a 98% increase in Microsoft browser vulnerabilities (though this is in part due to the inclusion of Microsoft Edge from 2016 onwards.)
  • Since the 2013 report, 2017 shows the largest year-on-year increase of vulnerabilities by volume, with 451 vulnerabilities reported in 2016 compared to 685 in 2017.
“Despite the continued rise in vulnerabilities impacting Microsoft software, there are actions that enterprises can take to ensure that they’re protected without sacrificing productivity,” said Mark Austin, co-founder and CEO of Avecto. “The challenges organizations face to improve security have not changed, yet many are still unaware that by simply removing admin rights, the risk of so many threats can be mitigated.”

A significant number of phishing attacks use non-patched vulnerabilities.

The best example are recent attacks like Wannacry using a newly patched Microsoft hole and now cryptojacking (also known as Cryptomining) and sending phishing attacks to end-users.

Do your users know what to do when they receive a suspicious email?

Should they call the help desk, or forward it? Should they forward to IT including all headers? Delete and not report it, forfeiting a possible early warning?

KnowBe4’s Phish Alert button now also works for Gmail users with G Suite using Chrome. This gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click.

Best of all, there is no charge!
  • Reinforces your organization's security culture
  • Incident Response gets early phishing alerts from users, creating a network of “sensors”
  • Email is deleted from the user's inbox to prevent future exposure
  • Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)
  • Supports: Outlook 2007, 2010, 2013, 2016 & Outlook for Office 365, Exchange 2013 & 2016, Chrome 54 and later (Linux, OS X and Windows)
This is a great way to better manage the problem of social engineering. Compliments of KnowBe4! Here is a link you can cut and paste into your browser:
https://info.knowbe4.com/free-phish-alert

Some silver lining: Microsoft rolls out no-charge Windows analytics update to aid Meltdown & Spectre patching:
https://www.bleepingcomputer.com/news/microsoft/microsoft-rolls-out-windows-analytics-update-to-aid-meltdown-and-spectre-patching/
Fileless Malware: Not Just a Threat, but a Super-Threat

Exploits are getting more sophisticated by the day, and cybersecurity technology just isn't keeping up.

It's almost like something out of Star Trek. Imagine an alien who can see you, but whom you can't see — one who has violence on his/her/its mind. A punch coming from out of nowhere; a vase flung at your head with no one seemingly throwing it; a punch to the gut, then a karate chop to the neck, maybe a blast from an (also invisible) ray gun, and you're down for the count.

How would you fight it? How could you fight it?

Let's take a closer look at fileless malware. How would an IT team fight it? One of the pieces of the puzzle is new-school security awareness training for your users. Continue this story at DarkReading:
https://www.darkreading.com/vulnerabilities---threats/fileless-malware-not-just-a-threat-but-a-super-threat/a/d-id/1331018
[NEW] Download the Revised Ransomware Hostage Rescue Manual

What You Need to Know to Prepare and Recover from a Ransomware Attack

This manual is packed with actionable info that you need to prevent infections, and what to do when you are hit with ransomware. You will also receive a Ransomware Attack Response Checklist and Ransomware Prevention Checklist. You will learn more about:
  • What is Ransomware?
  • Am I Infected?
  • I’m Infected, Now What?
  • Protecting Yourself in the Future
  • Resources
Don’t be taken hostage by ransomware. Download your 20-page rescue manual now! (PDF).
https://info.knowbe4.com/ransomware-hostage-rescue-manual-0
No Free Sneakers for You

Adidas is not celebrating its 93rd birthday by giving away 3000 pairs of free, high-end athletic shoes. Sneakers are being dangled as phishbait. It's an identity phishing scam circulating on WhatsApp. The fraudsters ask for shipping information that includes the mark's full name and address. Adidas wants everyone to know it's a hoax: they have nothing to do with it. Online as on the street, if it seems too good to be true, it probably is. See an account at Trusted Reviews:
http://www.trustedreviews.com/news/new-whatsapp-scam-warning-adidas-trainers-free-3392920
Small City Spoofing

The City Treasurer of Holyoke, Massachusetts, fell victim last year to a spoofed email. Her experience, which the city has now discussed publicly, shows the importance of developing sound policies against social engineering and training employees to follow them.

The Treasurer received an email that appeared to come from the director of a city department. The message was, "I know you’re very busy. Could you do me a favor and wire this money? Send me the confirmation, I need to have it in today." She'd received similar emails from directors' phones before, and she complied, transferring the requested $9,997 to the account specified.

It was a scam. A crook had spoofed the email address belonging to the director with one very similar. Holyoke is working on tracking the criminal and getting restitution. Western Mass News has the cautionary tale:
http://www.westernmassnews.com/story/37498615/how-to-not-fall-victim-to-a-spoofing-cyber-attack
Know the Phishing by the Season

According to researchers at IBM, Necurs is thought to control about six-million zombie bots. Its spam is seasonal and adaptable. It's been used to run pump-and-dump stock scams where penny stocks are flogged as great investment opportunity.

The scammer dumps their shares when enough gullible people invest to drive the stock up. During the recent cryptocurrency bubble, Necurs went after naive speculators in alternative currencies. There will be similarly themed scams keyed to holidays, seasons, and news events. It's important to note that the botnet's masters tune and adapt it to avoid technical screens.

Your best defense is a community of users trained and educated to spit the hook when they're being phished. Cautionary examples tuned to the season can help raise awareness. IBM's Security Intelligence blog has a good account of what Necurs has been up to:
https://securityintelligence.com/necurs-spammers-go-all-in-to-find-a-valentines-day-victim/
What Our Customers Are Saying About Us

"Good morning Stu, I just want to acknowledge the outstanding support that I’ve received from your support team, in particular Nicole and Arsenio.

We’ve hit a number of challenges in our implementation (mainly on our side) and Nicole and Arsenio in particular have been outstanding in their response, communication and doggedness in ensuring that every problem is resolved as quickly as possible. It is one of the reasons why I rated KnowBe4 so highly in the recent Gartner survey that I completed. Great product, great team and outstanding support – thank you! - B.C. Senior Manager, IT & Business Systems

PS: check out how our customers rate us at Gartner's Peer Insights site compared to the other players in this field:
https://www.gartner.com/reviews/market/security-awareness-computer-based-training
Interesting News Items This Week

Ransomware – A Reminder for Healthcare Providers to Lock Down Their Environments:
https://www.tripwire.com/state-of-security/regulatory-compliance/hipaa/ransomware-reminder-healthcare-providers/

The GDPR Clock Is Running Out. Now What?:
https://www.darkreading.com/partner-perspectives/iboss/the-gdpr-clock-is-running-out-now-what-/a/d-id/1331030

SpaceX's satellite broadband plan gets boost from FCC's Ajit Pai:
https://www.cnet.com/news/fcc-chair-ajit-pai-boosted-spacex-satellite-internet-starlink-musk/

Hygienist Steals Patients, Leaves Dentist with Huge Legal Bills:
https://www.databreaches.net/hygienist-steals-patients-leaves-dentist-with-huge-legal-bills/

Exhaustive list of 2017 Phishing:
https://securelist.com/spam-and-phishing-in-2017/83833/

Russian actors mentioned as possibly launching Olympics cyber-attack:
https://www.scmagazineuk.com/russian-actors-mentioned-as-possibly-launching-olympics-cyber-attack/article/743932/

Attribution Games: Don't Rush to Blame:
https://www.bankinfosecurity.com/blogs/attribution-games-dont-rush-to-blame-p-2594

Equifax accused of not disclosing the full extent of last year's data breach:
https://www.computing.co.uk/ctg/news/3026447/equifax-accused-of-not-disclosing-the-full-extent-of-last-years-data-breach

Never Mind Malware – Social Engineering Will Be Your Biggest Threat This Year:
https://www.infosecurity-magazine.com/opinions/social-engineering-biggest-threat/

Love letters from a Black Hat to all the fools on the Internet:
https://www.helpnetsecurity.com/2018/02/14/black-hat-love-letters/

Russia Sees Midterm Elections as Chance to Sow Fresh Discord, Intelligence Chiefs Warn:
https://www.nytimes.com/2018/02/13/us/politics/russia-sees-midterm-elections-as-chance-to-sow-fresh-discord-intelligence-chiefs-warn.html

Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • We decided to revisit an experiment we did back in 2000 when we dropped 50lbs of Silly Putty off our garage to see if it would bounce. We decided to up the ante and see if we dropped 100lbs of Silly Putty this time and find out if it would bounce if we launched it onto a car:
      https://youtu.be/puERHDoQuNg

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog


Domain Spoof Test Contest




Get the latest about social engineering

Subscribe to CyberheistNews