CyberheistNews Vol 9 #11 RSA Roundup & The Ins and Outs of Impersonation...and Kidnapping

CyberheistNews Vol 9 #11
RSA Roundup & The Ins and Outs of Impersonation...and Kidnapping

RSA 2019 has wrapped up, I was there this time around and here are a few observations on the conference. At the moment, it's clear that security is increasingly focused on the cloud, and on the application layer. And, of course, one of the themes remains the high importance of very thorough defense-in-depth.

Listening to senior US Government participants at RSA, it's clear that the US has come to view China, and not Russia, as the nation's most serious rival in cyberspace. The Chinese play the long game. Keep in mind that in the last 20 centuries, during 18 of them, China was the world's biggest economy. They remember this very well and act on it. The current situation where the West is the dominant player is just a temporary setback from their perspective.

The Chinese are stealing intellectual property left, right and center. This is costing us hundreds of billions of dollars in the short term, and literally trillions in the long run. Their "digital armies" are trained to get into your network and exfiltrate the corporate jewels, often using spear phishing to get into an employee workstation as their first foothold.

KnowBe4 was at RSA 2019 this year with two booths, in both the North and South Hall. The show was humongous as usual and a torrent of news was released. I was there and it was a challenge to filter out items related to social engineering. Here's my best effort, it starts with an interview where DarkReading asked me about social engineering and the current most sophisticated techniques the bad guys use. Here is 13 minutes with yours truly:

Want to read a good book about the risk that China poses? I just finished "Glass Houses: Privacy, Secrecy, and Cyber Insecurity in a Transparent World". Written by Joel Brenner who entered the inner sanctum of American espionage just after 9/11, first as the inspector general of the National Security Agency, then as the head of counterintelligence for the Director of National Intelligence:
Ins and Outs of Impersonation...and Kidnapping

Impersonation attacks and business email compromise (aka CEO fraud) can lead to far more dangerous consequences than monetary losses, according to Matt Devost from OODA LLC. Devost appeared on the CyberWire’s Hacking Humans Podcast last week, where he described the attacks he’s seen involving cybercriminals with fraudulent personas.

Devost described one case in which an attacker impersonated a broker and an investor to target a successful entrepreneur who was looking for funding for a new startup. Under the guise of the broker, the attacker introduced the target to the supposed investor. Now posing as the investor, the attacker conversed with the target about the company, and eventually asked the entrepreneur to fly to South America so they could meet.

“That individual is very, very close to buying a ticket and kind of hand-delivering themselves down to South America,” Devost said. “Keep in mind they're already a successful business person, so a nice, lucrative target from a kidnapping perspective.”

Fortunately, the entrepreneur had a “gut intuition” that made them pause, and they decided to contact the broker through an alternative channel. The broker turned out to be a real person, but they hadn’t been communicating with the entrepreneur. The individual then realized that the meeting in South America was likely a setup for a kidnap-and-ransom scheme.

When asked what users can do to protect themselves against these types of attacks, Devost recommended “a healthy dose of skepticism in their online interactions.”

“I mean, there's just a user awareness component of this,” he said. “So there's some technical mitigations. Enable the two-factor authentication. And then there's some kind of social engineering resiliency that you can build up to make sure that you are at least applying a first order level of scrutiny on the incoming requests that are coming into your inbox.”

Attackers are extremely skilled at getting people to drop their guard and assume the best in people. New-school security awareness training is one of the best defenses against gullability. The CyberWire has the story:
[March Live Demo] Ridiculously Easy Security Awareness Training and Simulated Phishing!

Old-school awareness training does not hack it anymore. Your email filters have an average 10-15% failure rate; you need a strong human firewall as your last line of defense.

Join us this week, Wednesday, March 13 @ 2:00 p.m. (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • NEW Identify and respond to email threats faster. Enhance your incident response efforts with PhishER add-on!
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 24,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, March 13, 2019 at 2:00 pm ET

Save My Spot!
Google: Phishing Attacks That Can Beat Two-Factor Are on the Rise

Don't expect two-factor authentication to always protect your accounts. Google has noticed an unsettling increase in phishing attacks that can defeat the security setup.

Hackers have been refining their email phishing schemes to also nab the one-time passcode from two-factor authentication security setups, Google warned at RSA. "We've seen a big rise in the number of phishable 2FA attacks," Nicolas Lidzborski, a security engineering lead for Gmail, said during a talk at RSA.

Looks like you knew this is the case. Roger A. Grimes, KnowBe4's very own Data-Driven Defense Evangelist presented his "12 Ways to Hack 2FA" at RSA and noted: "Good crowd, room held 500 but it was full, a second room they opened up got full and there was a line around the far corner. RSA under-estimated how many people our talk would draw." More:
Top 5 IT Security Myths Your CISO Believes Are True… BUSTED!

Facts are facts… but what happens when IT security pros take myths at face value?

That got us thinking… what if we whip out our magnifying glasses, pull out the trench coats and use our research skills to differentiate fact from fiction? Join us for this interactive webinar where we’ll help you decide how to invest your time and money wisely, how to implement worthwhile defenses, and what holes to plug so your organization gets the best bang for your security budget buck.

Join us on Tuesday, March 19th @ 2:00 pm ET when Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, and Erich Kron, KnowBe4’s Security Awareness Advocate, will uncover the truth behind the Top 5 IT Security Myths. They’ll be stating facts and slinging stats. Then YOU DECIDE whether each myth is confirmed or BUSTED!

Myths we will be investigating:
  • Every organization needs antivirus and firewalls on endpoints
  • Patching 99% of your environment is enough
  • Biometrics are an unhackable form of authentication
  • Hackers will still break in no matter what defenses you have in place
  • End users can’t be trained, technology is your only defense
Date/Time: Tuesday, March 19th @ 2:00 pm (ET)

Save My Spot!
Can You Be Spoofed? Find out for a Chance to Win a Stormtrooper Helmet Prop Replica

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. Plus, if you are in the US or Canada you'll be entered for a chance to win a First Order Stormtrooper Helmet Prop Replica*.

Try to Spoof Me!

*Terms and Conditions apply.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: I'm suffering from Data Breach Fatigue, how about you? Here is another massive one, when will it ever stop? My personal data must have been stolen 20 times now:
Quotes of the Week
"Success consists of going from failure to failure without loss of enthusiasm." - Winston Churchill

"Success is not the key to happiness. Happiness is the key to success. If you love what you are doing, you will be successful." - Albert Schweitzer

Thanks for reading CyberheistNews
Security News
From RSA 2019: BEC Hits Not-for-Profits

One of the lessons participants took away from RSA 2019 is that social engineering remains a principal threat to organizations of all kinds. A report delivered during the conference showed how organizations not normally thought of as high-value targets in fact are very much in the criminal crosshairs.

Threatpost has an account of research presented by Agari on Scarlet Widow, a Nigerian gang that has been hitting such organizations as the Salvation Army and the Boy Scouts of America.

Agari researchers have found a Scarlet Widow database with “targeting information” for more than 30,000 individuals in more than 13,000 organizations. The target list extended to twelve countries.

A significant subset of the targets involves not-for-profits: some 3400 individuals at over 5500 not-for-profits, and more than 1800 individuals at 660 schools and universities. The Boy Scouts of America was the most targeted not-for-profit, but other targets included the Salvation Army, the United Way, the Y, a ballet foundation in Texas, and at least one Roman Catholic archdiocese.

Scarlet Widow’s general approach is business email compromise. It’s not particularly clever, nor is it especially novel, but volume pays off, especially when working against organizations with large attack surfaces, and who are disposed to trust interactions with large numbers of individuals.

A short email arrives with a display name matching that of an organization’s executive directs the recipients to buy iTunes or Google Play gift cards. The direction to purchase gift cards is a tactical shift, since Scarlet Widow had earlier asked its victims for the more familiar wire transfer.

The criminals use the peer-to-peer cryptocurrency exchange Paxful, through which they have been able to convert scammed gift cards into alt-coin at a discounted but still profitable rate of 40 to 80 cents on the dollar. More than $15,000 in gift cards has been lost to Scarlet Widow’s BEC campaigns.

That is small enough, to be sure, but for many not-for-profits this is not a trivial sum. The conversion through Paxful is fast and unfortunately irreversible. There are several lessons here. First, it remains important to establish policies, and then to follow those policies, that educate employees not to transfer funds or make purchases on the strength of an email from the boss.

And, of course, new-school training in resistance to social engineering is valuable to all organizations, of all types, missions, and sizes. Threatpost has the story:
Risk and Human Behavior

The actions of your employees can be one of the greatest cybersecurity risks facing your organization, according to Adenike Cosgrove from Proofpoint. Cosgrove points out that cybercriminals, like most people, will take the path of least resistance when they carry out a job. In most cases, this means tricking a human into letting them into an organization’s network, rather than going through the difficult process of hacking their own way in.

“Many organizations’ security and compliance tools focus on safeguarding the perimeter, helping to manage endpoints and patch system vulnerabilities,” she says. “But they struggle to protect against the human vulnerability. To stop today’s advanced attacks, businesses need to focus on protecting end users by adopting a people-centric cybersecurity strategy. These strategies are a realistic approach to cybersecurity, using technology and training to protect the people in organizations, not just the technology they use.”

Cosgrove adds that “combining software-based security with employee education and vigilance holistically across the business is essential to minimizing human risks.” Technical defenses won’t make a difference if attackers can achieve their goals by exploiting your employees. New-school security awareness training can help your organization build a culture of security to mitigate human-based vulnerabilities. Help Net Security has the story:
Spoofing the US Departments of Labor and Transportation

Attackers are spoofing the departments of Labor and Transportation to target government contractors, researchers at Anomali Labs have found. The researchers discovered a server hosting two subdomains which were set up in such a way that their URLs imitated those used by the government websites. This is a good example of how Chinese attackers operate.

Both phishing sites are nearly identical in appearance to the legitimate sites they imitate. In the case of the Department of Transportation (DOT) phishing campaign, the attackers had set up a subdomain which redirected users to a spoofed DOT eProcurement login portal.

This site presents a pop-up window with bidding instructions for commercial contracts. After following the instructions, users are asked to enter their email credentials.

The pop-up also instructs users to send any questions to an acting manager at the DOT’s Office of Small and Disadvantaged Business Utilization (OSDBU). The attacker used the name of the real manager at this office, but the email address provided ended in “dot-gov[.]us,” rather than “”

The Department of Labor (DOL) phishing scheme was similar, with users being sent to a spoofed DOL website with a red button titled “Click here to bid.” Clicking this button again brings up a login window which harvests the user’s credentials.

When the researchers looked up the “dot-gov[.]us” domain, they found at least seven related domains mimicking government websites, from the Federal Government of the United States down to the Department of Parks of Montgomery County, Maryland.

The researchers didn’t see any phishing emails, but they assume these domains are used for malicious email campaigns. This phishing campaign was specifically targeting small businesses looking for government contracts. Attackers often target government contractors to gain a foothold in the government’s supply chain.

Small businesses are particularly attractive because they often struggle to implement security measures. Employees at organizations of all sizes can benefit from new-school security awareness training to help them avoid these threats. Federal News Network has the story:
What KnowBe4 Customer Say

"Hi Stu! I’m so happy with the product, and with your team. They have all been so responsive, professional, and knowledgeable. John Freeman (account rep) and Melissa Smith (technical support) are two of your stellar team members! We love the content that you provide and the variety of ways we can distribute it to our company. Very happy."
- F.F. Manager Governance, Risk, and Compliance

"Hi Stu, Yes, I have been having success with the KnowBe4 platform. It has definitely helped bring awareness to users, as well as helped with them knowing when to alert me of such malicious e-mails. Thank you for creating this platform, it, in my opinion, is an amazing tool!"
- B.T. BSc CIS, IT Specialist
The 10 Interesting News Items This Week
    1. U.S. officials: It’s China hacking that keeps us up at night:

    2. RSA Survey: Most employees access corporate data on mobile devices through public Wi-Fi networks:

    3. RSA Conference 2019: Ultrasound Hacked in Two Clicks:

    4. At RSA, governments still prove to be more powerful than cyber:

    5. Beyond Hybrid War: How China Exploits Social Media to Sway American Opinion:

    6. Beijing Drops Contentious ‘Made in China 2025’ Slogan, but Policy Remains:

    7. Phishing Attacks Evolve as Detection Response Capabilities Improve:

    8. Silicon Valley and the FBI Take Their Encryption Fight Behind Closed Doors:

    9. UK charity set up to counter Russian disinformation targeted in cyber attack:

    10. Stalkers and Debt Collectors Impersonate Cops to Trick Big Telecom Into Giving Them Cell Phone Location Data:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews