CyberheistNews Vol 9 #13 [Heads-Up] This Evil New Child Porn Phishing Attack Could Absolutely Ruin Your Life




CyberheistNews Vol 9 #13
[Heads-Up] This Evil New Child Porn Phishing Attack Could Absolutely Ruin Your Life

Oh my. Bad guys have come up with a sinister new strain of blackmail/sextortion. Just when you thought things couldn't get worse, the bad guys sink lower.

Eric Howes, KnowBe4's Principal Lab Researcher sent me a screenshot of an attack now live out there in the wild. It claims the CIA will bust you for child porn unless you pay 5,000 dollars and only then "your records will be deleted".

Apart from the very scary and expensive extortion, it also contains a malicious link. What lies behind that link (credentials phish or malware download) we don't know, as the target web page for that link has been taken down. But it sure looks like the bad guys have two attack vectors and are also trying to infect the workstation.

It will become more serious

KnowBe4 is seeing a rise in this blackmail-type phishing... and it will become more serious. With the capabilities of recent destructive malware and ransomware the following scenario becomes highly probable: If you don't pay the ransom—but click on the link, worried to death—they will put actual child pornography on the users' machine, and/or they stuff your users' search history with fake searches. Then they will anonymously notify the FBI or other law enforcement. It's a setup and the intent is to actually cause the person to get arrested and massively disrupt your organization at the same time.

This could absolutely ruin someone's life

Unfortunately, technically this is not that difficult to do and we see the potential for this to develop into highly targeted spear phishing attacks on CEOs, politicians, high-net-worth individuals, celebrities, etc. This could absolutely ruin someone's life.

Child porn would be a gruesomely effective setup. Law enforcement accepts absolutely no excuses when they encounter it on a device, as malware researchers and investigative journalists have discovered to their horror. Even law enforcement officers who deal with it are monitored and supervised carefully.

The bad guys here have two attack scenarios and would have to make a critical decision. If you’ve compromised the devices/accounts of a high- value target, what’s the most productive way to extract value from that target?
  1. Lie low and exploit the compromised devices and accounts for long-term gain (information, money, etc.), or
  2. Go the extortion route, which would inevitably bring scrutiny from law enforcement, IT specialists, and others with a stake/interest in investigating those devices and accounts.
Different cyber crime gangs could be operating with divergent “business models.” Something similar to this was all over the news recently. The recent dust-up between Jeff Bezos and AMI (parent company of the National Enquirer) comes close to the above attack model if Bezos' phone would have been compromised. Think of the potential value of getting super-sophisticated backdoor Trojans on the devices of Mr. Bezos.

What kind of world are we living in?

It would be important for the cyber criminals to set a precedent like ransomware did: pay the ransom and get your files back. A few famous people being made an example of with a repulsive attack like this, and we bet people will start paying.

This could even be developed into a criminal extortion subscription, modeling the old "protection money" the mob used to run. What kind of world are we living in?

One thing is for sure

We absolutely have to make our users aware of these horrible scams, and make sure they stay cool, calm and collected when they suddenly see "something all claws" that made it through the filters, and instead of panic, click on the Phish Alert Button.

Full Story with links and screenshot:
https://blog.knowbe4.com/heads-up-this-evil-new-child-porn-phishing-attack-could-absolutely-ruin-your-life
[NEW BOOK] Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors

Knowbe4's very own Chief Evangelist Strategy Officer Perry Carpenter has written a brand new book. I recommend you pre-order at Amazon, here is the blurb from the new page promoting the book. It will be released May 29, 2019 and comes strongly recommended as I have read an early version.

"Expert guidance on the art and science of driving secure behaviors"

Transformational Security Awareness empowers security leaders with the information and resources they need to assemble and deliver effective world-class security awareness programs that drive secure behaviors and culture change. Pre-order here:
https://www.amazon.com/Transformational-Security-Awareness-Neuroscientists-Storytellers/dp/1119566347/
[LAST CHANCE] Can You Be Spoofed? Find out for a Chance to Win a Stormtrooper Helmet Prop Replica!

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. Plus, if you’re in the US or Canada you'll be entered for a chance to win a First Order Stormtrooper Helmet Prop Replica*.

Try to Spoof Me!
https://info.knowbe4.com/dst-sweepstake-mar2019

*Terms and Conditions apply.
WOW, Phishing Attacks Are Now More Common Than Malware!

Microsoft’s security team is uniquely positioned to analyze trends in cyber security threats. Their frequent Security Intelligence Reports (SIR) are an excellent indicator of these trends. Redmond's numbers are based on their internal scan of O365 email addresses.

And here is the big news

The most recent SIR indicates that phishing attacks are now by far the most frequent threat to the cyber landscape, increasing a massive 250% since the publication of the previous report. They analyzed over 470 billion and concluded that not only are phishing attacks much more frequent, but also significantly increased in sophistication in a short amount of time.

Phishing Is Now the Criminal Preferred Practice

Phishing attacks have been trending upward for some time, but Microsoft’s data indicates that they are now becoming the preferred practice of criminals. The techniques employed are also quite diverse. Attackers are often able to convincingly impersonate users and domains, bait victims with fake cloud storage links, engage in social engineering and craft attachments that look similar to ones commonly used in the organization, among other attack types.

Continue reading, and get the latest SIR here:
https://blog.knowbe4.com/wow-phishing-attacks-are-now-more-common-than-malware
[VIDEO] KnowBe4's CEO Stu Sjouwerman on Adding One More Layer of Security

It's a common refrain that people are security's weakest link. But Stu Sjouwerman of KnowBe4 has a way to manage that ongoing problem which adds a critical additional layer to address that vulnerability.

I was interviewed by Tom Field of the Information Security Media Group at the RSA 2019 Conference in San Francisco, and we discuss:
  • Why humans remain the weak link
  • The additional layer of security that's necessary
  • What distinguishes KnowBe4's approach
If you need to explain to C-level execs why you need budget, this is good ammo. Here is the 6:28 video:
https://www.databreachtoday.com/strengthening-weakest-link-a-12135
[March Live Demo] Identify and Respond to Email Threats Faster With PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic... can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a new product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us tomorrow at 2:00 pm (ET), for a live 30-minute demonstration of the new PhishER platform. With PhishER you can:
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team.

Date/Time: Tomorrow, March 27th at 2:00 pm (ET)
https://event.on24.com/wcc/r/1908612/F59B35255DC68F0FC81F0169F3207A9A?partnerref=CHN
[On-Demand] 10 Incredible Ways You Can Be Hacked Through Email & How to Stop the Bad Guys!

Email is still the #1 attack vector the bad guys use. A whopping 91% of cyberattacks start with a phishing email, but email hacking is much more than phishing and launching malware!

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist and security expert with over 30-years of experience, for this webinar where he will explore 10 ways hackers use social engineering to trick your users into revealing sensitive data or enabling malicious code to run.

Plus, he'll share a (pre-filmed) hacking demo by Kevin Mitnick, KnowBe4's Chief Hacking Officer where he captures an email hash with no clicks and no malicious code.

You’ll want to see this... Watch It Now!!
https://info.knowbe4.com/webinar-10-ways-hacked-email

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

BREAKING NEWS: Ransomware Forces Two Chemical Companies to Order ‘Hundreds of New Computers’:
https://blog.knowbe4.com/ransomware-forces-two-chemical-companies-to-order-hundreds-of-new-computers
Quotes of the Week
"It is not because things are difficult that we do not dare, it is because we do not dare that they are difficult." - Lucius Annaeus Seneca, (5 BC - 65 AD)

"In order to conquer, what we need is to dare, still to dare, and always to dare."
- Georges Jacques Danton (1759 - 1794)



Thanks for reading CyberheistNews
Security News
[Heads-Up] Bad Guys Are Moving to Mobile Phishing for Gift Cards Scams

Scammers are shifting to SMS to carry out business email compromise (BEC) attacks, since text messaging offers less visibility to the victim and more flexibility to the attacker, says James Linton at Agari.

BEC attacks have traditionally centered around email exchanges, although phone calls and text messages can play a role. Agari has observed a recent trend, however, in which attackers send an initial email requesting the victim’s phone number, and the rest of the scam takes place via text message.

“By moving them over to their cell phone, the scammer is equipping their victim with all the functionality needed to complete the task that is to be given to them,” writes Linton. “A mobile device offers instant and direct messaging, the ability (in most cases) to still access email, the ability to take pictures with the phone’s camera, and far greater portability than a laptop, which all increases the chances that the scammer will be successful in achieving their desired outcome once a victim is on the hook.”

As an example, Linton points to a scammer group tracked by Agari that impersonates the targeted organization’s CEO, and then attempts to trick an employee of that organization into buying gift cards and sending photos of the codes to the attacker.

“In a mobile BEC scam, the actor has the ability to play a greater role in guiding the victim throughout the entire gift card buying process,” he says. “SMS is more conversational in nature than email, which mitigates potential s tumbling blocks in the completion of the task.”

While SMS-based phishing, or smishing, is nothing new, attackers are increasingly starting to see the advantages of SMS for more elaborate scams. And think about your policies, too. If your C-suite is in the habit of having employees make large-scale purchases of gift cards on the company dime, maybe you should rethink that.

New-school security awareness training can help your employees keep up with the constantly evolving tactics used by attackers. Story and screenshot:
https://blog.knowbe4.com/smishing-sms-phishing-for-gift-cards
Scammers Stole USD 170,000 From Two Defense Contractors and a University

Two defense contractors and a university lost approximately 170K from business email compromise (BEC) scams last year, according to an FBI advisory obtained by CyberScoop. The scammers impersonated employees at the organizations by spoofing email addresses, and then used fraudulent lines of credit to rack up expensive purchases.

In one instance, a scammer impersonated a university employee and ordered 150 electronic measurement instruments from a US defense contractor, stealing a total of 80K. Two similar incidents resulted in defense contractors losing 90K.

Alexander Heid, chief security officer at SecurityScorecard, told CyberScoop that business email compromise scams are growing increasingly popular due the high payoff for attackers.

“Business impersonation fraud is trending because it works,” said Heid. “With 1,000 target enterprises, if only 1 percent fall for the scam, that is still ten places wiring over large sums of money – and that adds up very fast. The incentive is there, the technology is there, the risk is low compared to traditional forms of crime, and now we are seeing the aftermath in the form of victim stories and law enforcement warnings after years of observed activity.”

The FBI said these scams could have been prevented if the suppliers had taken steps to confirm that the purchases were legitimate. In many cases, simply calling the other party over the phone can expose a fraudulent email exchange.

New-school security awareness can teach your employees to be suspicious of all transaction requests until they’re absolutely certain of their legitimacy. CyberScoop has the story:
https://www.cyberscoop.com/email-scammers-stole-150k-defense-contractors-university-fbi-says/
One in Seven Healthcare Employees Will Fall for Phishing Emails

A study recently published in the Journal of the American Medical Association highlights how vulnerable the healthcare sector is to phishing attacks, according to Jessica Davis at Health IT Security.

Researchers from Harvard Medical School and Boston’s Brigham and Women’s Hospital sent millions of simulated phishing emails to employees at six healthcare organizations between 2011 and 2018.

“The researchers performed 95 simulated phishing campaigns, sending about 3 million emails to the studied organizations’ employees,” writes Davis. “In total, the employees opened 422,062 of the malicious emails, or about 14 percent.

The median click rate ranged from about 7.4 percent to 30.7 percent, with an overall median click rate of 16.7 percent across all organizations and campaigns. The total click rate was about one out of seven simulated phishing emails.”

The rate of success was fairly consistent across different organizations, although they determined that personal emails were far more effective than business-related ones. They also found, however, that the click rate dropped significantly in subsequent campaigns.

“Increasing campaigns were associated with decreased odds of clicking on a phishing email, suggesting a potential benefit of phishing simulation and awareness,” the report states. “Employee awareness and training represent an important component of protection against phishing attacks… One method of generating awareness and providing training is to send simulated phishing emails to a group of employees and subsequently target educational material to those who inappropriately click or enter their credentials.”

Davis notes that the healthcare sector is particularly vulnerable to phishing attacks due to high employee turnover, as well as the highly-interconnected networks that are characteristic of healthcare organizations. It only takes one successful phishing email to let an attacker into your network. Health IT Security has the story:
https://healthitsecurity.com/news/phishing-education-training-can-reduce-healthcare-cyber-risk
Very Few Professionals Are Confident in Their Phishing Defense Assessments

New research from ISACA and Terranova Security found that just 12% of security, assurance, risk and governance professionals are confident in their ability to assess the effectiveness of their phishing defenses. Additionally, only 57% of those surveyed said they carry out phishing simulations within their organizations.

“Current phishing defense strategies and implementation are clearly not hitting the mark,” said Frank Downs, director of cybersecurity practices at ISACA. “Strengthening these defense activities and improving outcomes is within reach, but requires careful planning and execution, and eliminating any gaps in managing and implementing these security awareness initiatives internally and externally.”

Theo Zafirakos, CISO at Terranova Security, agrees that organizations need to implement security awareness training to ensure that these threats are mitigated. “Phishing attacks continue to grow each year both in number and in cost to organizations globally and countless new phishing scenarios are created every day,” said Zafirakos.

“While human error continues to prevail as the leading cause of all breaches and security incidents, security professionals agree the most effective way to reduce human risk is with security awareness and phishing simulation training.”

Phishing attacks are a real and growing threat to organizations in every sector. Business Wire has the story:
https://www.businesswire.com/news/home/20190314005679/en/Professionals-Fully-Confident-Ability-Assess-Effectiveness-Phishing
The Bait Is Bitcoin; the Hook Is a Clipboard Hijacker

A new phishing campaign is spreading malware through emails that claim to have Bitcoin investment updates, according to My Online Security. The emails direct the victim to download an attachment, which is an [.]iso file with a fake file extension.

The malware is thought to be a new Bitcoin currency stealer, although it’s difficult to tell exactly what it does because it appears to have anti-analysis capabilities.

“What I believe happens, is that the malware stealer file only triggers when you are on one of the bitcoin wallet sites or when you copy or paste in your bitcoin address,” says the researcher at My Online Security.

“This misuses the BitPing ‘tool’ to replace your bitcoin address with the criminal’s one so any payments to your bitcoin address instead go to his account. What the criminal is hoping is that you install the malware that will only trigger when you send somebody else your bitcoin address to pay you.

That is replaced by the criminal’s address and he gets the money instead of you.” Thus the clipboard hijacking, a useful trick to alt-coin scammers.

My Online Security stresses that “the basic rule is NEVER open any attachment to an email, unless you are expecting it.” These scams are designed to trick you into clicking on the file without thinking. One useful technique is to change your system settings to “show known file types,” so that you can see the true file extension even if an attacker puts a fake one in the filename.

And of course we need to be vigilant as criminals evolve new approaches. My Online Security has the story:
https://myonlinesecurity.co.uk/fake-bitcoin-investment-scam-delivers-malware/
What KnowBe4 Customer Say

"Stu, Thank you so much for reaching out. I am a very happy camper indeed. In 2019, we have increased our focus on Security Awareness Training. We are running monthly campaigns for our entire organization and we conduct Phishing campaigns roughly every 6 weeks. I’m using the Virtual Risk Officer dashboard to track our improvement.

I have received many positive comments from my colleagues about the KB4 SAT content (professional quality and educational content).

We have also leveraged your Password Exposure Test tool. Thankfully, none of our users information was in the ihavebeenpwned repository, but the tool did expose some other findings that we are working through remediation.

We are also using the KCM platform for helping us keep on top of our SOC audit and other regulatory requirements (GDPR).

I also appreciate your CyberheistNews emails. That content has helped me keep aware of the many threats, patches and new tools that are available.

I have very good relationships with Tyler and Mark. In fact, I’ll be the Tampa area in early April and they invited me to spend part of the day at your headquarters. I’m hoping our schedules alight and that you and I will be able to connect for a few minutes while I’m there.

I am also looking forward to attending the KnowBe4 Conference in May. So, all in all, yes, I’m a very happy camper."
- G.F., Security and Compliance Manager



"Hello Stu, I just got an email from you, probably automated, which thankfully reminded me of this email. I apologize for taking so long to respond.

I’ve found KnowBe4 to be a quality system that gives me more peace of mind. My users seem to be doing well at staying out of trouble, for which I’m thankful. However, I had no way to quantify that before, so it was always a point of concern. I also think we’ve benefited from users knowing someone is paying attention to what they are doing.

BTW, I was an early adopter of Vipre Antivirus. It was probably the leanest AV I’ve ever run, which is what caught my attention. Our long-time favorite, McAfee, had suddenly become more of an issue than a solution so I was very open to “lean and mean”. Our years with Vipre was a good run. Thank you.

Of course, in my mind that just means you set a high bar to live up to. ?? And, I think you have done that with KnowBe4." Best Regards,
S.W., IT Manager.



"Hi Stu, Thanks for checking in. We like the service so far. Training has been very well received and the team is actually having fun with the simulated Spam attacks. We have it set up so they get notified immediately if they click on something they shouldn’t, so I’ve gotten a number of “You got me!” emails. Its like a game they don’t know they are playing until the end, HA!"
- O.M., Director of Operations
The 10 Interesting News Items This Week
    1. Former CIA Officer Combats Social Engineering Scams At Civilian And Military Agencies. Meet Rosa Smothers, SVP Cyber Operations at KnowBe4:
      https://cybersecurityventures.com/former-cia-officer-combats-social-engineering-scams-at-civilian-and-military-agencies/

    2. Homeland Security Secretary Kirstjen Nielsen warns US 'not prepared' for foreign cyberattacks:
      https://thehill.com/policy/cybersecurity/434554-nielsen-us-is-not-prepared-for-foreign-cyberattacks

    3. The Top 10 Tech Companies To Work For In Tampa. KnowBe4 is #1!
      https://www.fullstacktalent.com/informative/top-10-tech-companies-work-tampa/

    4. Facebook exposes hundreds of millions of passwords:
      https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/

    5. Hackers Take Down Safari, VMware and Oracle at Pwn2Own:
      https://threatpost.com/hackers-take-down-safari-vmware-and-oracle-at-pwn2own/143042/

    6. Analysis | The Cybersecurity 202: Hydro hack shows even low-level criminals can cause major disruptions:
      https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/03/20/the-cybersecurity-202-hydro-hack-shows-even-low-level-criminals-can-cause-major-disruptions/5c9193591b326b0f7f38f1f5/

    7. This updated Trojan malware campaign targets fintech and cryptocurrency trading companies:
      https://www.zdnet.com/article/this-updated-trojan-malware-campaign-is-targeting-fintech-and-cryptocurrency-trading-companies/

    8. These are the top ten security vulnerabilities most exploited by hackers:
      https://www.zdnet.com/article/these-are-the-top-ten-security-vulnerabilities-most-exploited-by-hackers-to-conduct-cyber-attacks/

    9. Spear Phishing Attacks Are on the Rise, Security Firm Says:
      https://gizmodo.com/spear-phishing-attacks-are-on-the-rise-security-firm-s-1833455812

    10. These are the 12 most common phishing email subject lines cyber criminals use to fool you:
      https://www.zdnet.com/article/these-are-the-12-most-common-phishing-email-subject-lines-cyber-criminals-use-to-fool-you/
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews