CyberheistNews Vol 9 #15 [Heads-Up] New Phishing Attacks Make 2FA Useless




 

CyberheistNews Vol 9 #15
[Heads-Up] New Phishing Attacks Make 2FA Useless

These latest attacks are designed to proxy login requests that incorporate SMS-based authentication as a way to seamlessly bypass 2FA protection without being noticed.

Google researchers are seeing more phishing attacks that are 2FA-aware. Attackers are realizing more organizations are embracing two-factor authentication (2FA) as a means of thwarting phishing attacks seeking to compromise credentials. By using a second authentication factor (which usually is a SMS-based verification code), attackers who only capture usernames and passwords have little use for the details collected.

According to a recent talk with Gmail security engineering lead, Nicolas Lidzborski, cybercriminals are evolving the art of the credential phish, and are adding in mechanisms to capture and instantly use the combination of username, password, and verification code. In essence, the bad guys have come to realize SMS-based verification will be a part of the process, and have painstakingly built detailed lookalike login pages that not only accept user credentials, but also facilitate making the Google request to provide the second authentication factor.

As the victim provides the details, the malicious web page simultaneously logs on to gain access to a users entire G Suite. Today, it’s Google. Tomorrow, you can expect attackers to attempt this on every 2FA platform that uses some kind of single sign-on.

This is a tough attack method to crack. The pages look identical. The process looks identical. So, the only thing that would stand out is the potentially abnormal email request to view something in the user’s Google account.

Users should be educated to be mindful of emails that take them to any kind of logon page on the web. Just because they are prompted to authenticate, doesn’t mean they just blindly should. Ongoing Security Awareness Training can help users stay current with attack trends, methods, and techniques used, empowering them to know when they see something that just isn’t right, and how to avoid falling for even the most realistic scams that capture 2FA.

All multi-factor authentication (MFA) mechanisms can be compromised, and in some cases, it's as simple as sending a traditional phishing email. Want to know how to defend against MFA hacks? This whitepaper covers over a dozen different ways to hack various types of MFA and how to defend against those attacks. You will learn more about:
  • Two-factor authentication basics
  • How to hack two-factor authentication
  • How to best protect your organization from the bad guys
Download Your 12+ Ways to Hack Two-Factor Authentication White Paper:
https://info.knowbe4.com/12-way-to-hack-two-factor-authentication
vxCrypter Is the First Ransomware to Delete Duplicate Files

Our friend Larry Abrams at Bleepingcomputer wrote: "The vxCrypter Ransomware could be the first ransomware infection that not only encrypts a victim's data, but also "tidies up" their computer by deleting duplicate files.

Last week I discovered a new ransomware called vxCrypter that was currently in development. It is a .NET ransomware and is based on an older ransomware that was never finished called vxLock.

When I first tested the ransomware, I noticed that it had deleted every file in a folder except for one. As I knew this ransomware was still being developed, I assumed it was just a bug in the encryption routine.

During the weekend, Michael Gillespie told me that this deletion of files was intentional as the ransomware was deleting duplicate files. Furthermore, this was the first ransomware that Gillespie or I have seen that performed this behavior.

When analyzing the ransomware, Gillespie noticed that the ransomware was keeping tracking of the SHA256 hashes of each file it encrypted. As the ransomware encrypted other files, if it encountered the same SHA256 hash, it would delete the file instead of decrypting it.

It is not known why the ransomware is doing this other than as a possible way to increase the speed of encrypting a computer. It also illustrates how we have to stay alert as attackers continue to evolve malware to increase performance, cause havoc, or just do things for no obvious reason." Full story and more tech detail at:
https://www.bleepingcomputer.com/news/security/vxcrypter-is-the-first-ransomware-to-delete-duplicate-files/
SCAM OF THE WEEK: Realistic Phishing Attacks Take Advantage of U.S. Tax Season

With Tax Day only a few days away, cybercriminals are trying to take advantage of tax season through widespread phishing campaigns that aim to trick people into providing sensitive information, or opening malicious attachments containing malware designed to steal financial information or cause other trouble.

In a new report ProofPoint researchers illustrate how campaigns are targeting the tax season with realistic phishing emails and malicious attachments. These emails are used to install malware on victim's computers or convince them to submit sensitive information on servers that are under the attacker's control. Here is a blog post with a ready-to-send alert you can cut & paste.
https://blog.knowbe4.com/scam-of-the-week-realistic-phishing-attacks-take-advantage-of-us-tax-season
Live Webinar: What Keeps IT Pros Like You Up At Night

When attempting to protect your organization, you’re being pulled in a million directions, trying to secure every possible attack vector. The problem is that cybercriminals are constantly evolving their tradecraft, becoming more daring, sophisticated, and successful at cyberattacks and making it increasingly difficult for IT to keep the bad guys out.

With so many possible issues for you to address, what do other IT pros like you really have a handle on and what’s keeping them lying awake at night?

In this informative webcast, join cybersecurity expert and Microsoft MVP, Nick Cavalancia, and Erich Kron, KnowBe4's Security Awareness Advocate, as they discuss the results of KnowBe4’s 2019 What Keeps You up at Night Report.

Topics will include:
  • Attack Types
  • Security Initiatives
  • Compliance vs. Security
  • User-Related Issues
  • Resource Issues
  • Executive-Level Concerns
Date/Time: Wednesday, April 17, 2019 at 2:00 PM ET

Save Your Spot:
https://event.on24.com/wcc/r/1970963/5CD644A94B64800D247493593514EDB2?partnerref=CHN
[April Live Demo] See Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 10-15% failure rate; you need a strong human firewall as your last line of defense.

Join us Tomorrow, April 10th @ 2:00 p.m. (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
  • Identify and respond to email threats faster. Save a huge amount of time with the PhishER add-on!
Find out how 24,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, April 10th @ 2:00 pm (ET)

Save My Spot!
https://event.on24.com/wcc/r/1967068/D50A2313FA094F6C87769BA93DC477C3
90 Percent of Critical Infrastructure Hit by Cyberattacks

A new survey of professionals in industries using industrial control systems (ICS) and operational technology (OT) finds 90 percent of respondents say their environment has been damaged by at least one cyberattack over the past two years, with 62 percent experiencing two or more attacks.

The study commissioned by Tenable from the Ponemon Institute also finds 80 percent of respondents cite lack of visibility into the attack surface, knowing what systems are part of their IT environments, as the number one issue in their inability to prevent business-impacting cyberattacks.

One graphic in the report shows the No. 1 attack experienced is: "An employee falls for a phishing scam that resulted in credential theft. Do you have a disaster recovery plan in place that takes into account having no power in your HQ? Blog post with more detail and links here:
https://blog.knowbe4.com/90-percent-of-critical-infrastructure-hit-by-cyberattacks
Get Your Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments is a continuous problem.

We listened! KCM now has Risk and Policy Management modules, transforming KCM into a full SaaS GRC platform!

Join us Thursday, April 11th at 2:30 PM (ET) for a 30-minute live product demo of the KCM GRC platform from KnowBe4. See how you can simplify the challenges of managing your compliance requirements and ease your burden when it’s time for risk assessments and audits.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Thursday, April 11th at 2:30 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/1967057/0796C66BE369DF5F2DBD00D2DE33F473?partnerref=CHN

PS: Here is what people on Reddit say about KCM:
https://www.reddit.com/r/sysadmin/comments/8l1lhd/pci_complianceiso_documentation_management/

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS, KnowBe4 was chosen for the fourth year as Top Workplace in Tampa Bay, here's more and check out the brand new insider's view VIDEO:
https://blog.knowbe4.com/knowbe4-was-chosen-for-the-fourth-year-as-top-workplace-in-tampa-bay
Quotes of the Week
"No legacy is so rich as honesty." - William Shakespeare

"Have clean hands in whatever you do. Integrity is doing the right thing when people are watching you and still making it right when they keep their eyes off." - Israelmore Ayivor

PS: The difference between Morals and Ethics? Morals is what you do when other people are watching. Ethics is what you do when you are alone. :-D



Thanks for reading CyberheistNews
Security News
Game of Thrones as Phishbait, With Hook

Game of Thrones is the top TV show used to deliver malware-infected pirated content, researchers at Kaspersky Lab have found. Threatpost says the researchers saw nearly 21,000 users attacked in 2018, even though no new episodes were released last year.

These numbers are expected to spike this year, when the eighth and final season of the show is released on April 14. “The first and final episodes, attracting the most viewers, are likely to be at greatest risk of malicious spoofing,” said Kaspersky researcher Anton Ivanov.

“Online fraudsters tend to exploit people’s loyalty and impatience, so may promise brand new material for download that is in fact a cyber threat. Keeping in mind that the final season of Game of Thrones starts this month, we would like to warn users that it is highly likely there will be a spike in the amount of malware disguised as new episodes of this show.”

New episodes aren’t the only ones at risk, however. The pilot episode of the first season was the most popular and effective for use in attacks, followed closely by the first episode of the seventh season. Kaspersky observed more than five hundred different malware families delivered via pirated Game of Thrones episodes over the course of two years.

Threatpost says the best way to avoid these infected files is to watch shows through the legal and legitimate content provider, since there’s no way to know for sure that an unofficial download is safe. Even if they don’t download pirated files, however, users should still be able to identify malicious files by their file extensions. New-school security awareness training can help your employees form good security habits. Blog post with links:
https://blog.knowbe4.com/game-of-thrones-as-phishbait-with-hook
Join KnowBe4’s Hackbuster’s Community Forum for All Things Social Engineering Today

The KnowBe4 Hackbuster’s Forum is an online community dedicated to stopping the bad guys from social engineering your organization through community participation. Have a social engineering question? Someone has probably solved it before. You can browse anonymously but need you’ll need a free account to post. Like most forums screen names are acceptable to insure privacy.

You’ll find hundreds of messages from our KnowBe4 users and staff as well as questions and answers posted by those interested in the field of cyber security and social engineering. Topics include Phishing, Ransomware, Social Engineering, Security Awareness Training Best Practices, Scripting Tools and Other Topics.

Need some down-time drama? Follow the latest social engineering TV hits like the upcoming season of Mr. Robot. You can also discuss the latest episode of “Inside Man” KnowBe4’s new 12-episode video series, a compelling story, an incredible cast, and very high production values combine to create the coolest series ever streamed! We’ll be waiting to welcome you when you join:
https://discuss.hackbusters.com/t/the-inside-man-world-premiere-sneak-preview-trailer-available-today/4156
Cybercrime Right in our Own Backyard

Two unrelated scammers were busted in a Verizon store in Clearwater, Florida trying to buy smartphones after taking over victims’ Verizon accounts, USA Today reports. The scammers began by sending phishing emails to victims’ email accounts posing as Verizon customer support. These emails claimed that the victim’s Verizon account had been subject to fraud, and they gave the victim a number to call.

When the victim called this number, the scammer told them that they were going to receive a PIN code on their phone, and asked them to read this code over the phone to verify their identity.

In reality, this PIN was a password reset verification code, and the victims gave the scammers what they needed to take over the victims’ accounts. The scammers then went to the Verizon store intending to buy expensive phones under the victims’ names. Fortunately, Verizon employees grew suspicious and called the police when they saw how quickly the accounts changed.

Tim Downes, a detective sergeant for the Clearwater Police Department’s economic crimes unit, told USA Today that this is a new technique that scammers use to bypass additional security measures.

“People are getting smarter and more sophisticated, and it's going to be more difficult to prevent these things from happening,” Downes said. “Be careful with these emails that you get, and people should be monitoring all their accounts and their credit report just to make sure everything is the way it should be.”

We’ve had occasion to note Verizon’s concerns about the trend toward increased attacks on mobile users before. A Verizon spokesperson told USA Today that fraudsters target around 7,000 customers each month. Verizon and Downes urge people to call the support number on the company’s website rather than relying on a number supplied in an email.

This advice applies to any email, since scammers often spoof legitimate companies and individuals using phony contact information. New-school security awareness training can teach your employees when to be suspicious and how to verify the legitimacy of emails before they fall victim to these scams. USA Today has the story:
https://www.usatoday.com/story/tech/talkingtech/2019/04/01/new-scam-targets-cell-phone-accounts-pretending-your-carrier/3331376002/
The Famous Fall Victim, Too

A Georgia resident has taken a guilty plea to charges of hacking numerous Apple accounts belonging to high-profile athletes and musicians and stealing their credit card information, according to Dark Reading.

The man sent thousands of phishing emails to NBA and NFL players, college athletes, and rappers, dozens of whom fell for the scam. The emails impersonated Apple customer support and asked the recipients to send their login credentials or the answers to their security challenges.

The man then used the victims’ credit card information to rack up thousands of dollars in personal expenses and money transfers. "The high-profile victims in this case are an example that no matter who you are, hackers like Ford are trying to get your personal information," said Chris Hacker, Special Agent in Charge of the FBI Atlanta Field Division.

"This case demonstrates the need to be careful in protecting personal information and passwords, especially in response to suspicious emails. Hopefully this is a lesson for everyone, not just the victims in this case."

Everyone is susceptible to social engineering, and people need to be taught how to avoid falling for phishing attacks. Dark Reading has the story:
https://www.darkreading.com/risk/man-pleads-guilty-to-hacking-apple-accounts-of-nfl-and-nba-players-rappers-/d/d-id/1334281
Researchers Unearth 74 Facebook Cybercrime Groups With 385,000 Members

A months-long study by Cisco Talos has identified 74 Facebook cybercrime groups with a total of 385,000 members. While some groups resembled market places for illicit goods such as payment-card information, compromised user accounts and phishing tools, others were populated by crooks ready to commit a great variety of cybercrime ‘services.’ All groups have now been removed by the social media giant.

A striking finding of the research is how easy it was for users to find and join groups. According to the report: “A simple search for groups containing keywords such as “spam,” “carding,” or “CVV” will typically return multiple results. Of course, once one or more of these groups has been joined, Facebook’s own algorithms will often suggest similar groups, making new criminal hangouts even easier to find.” Rather than actively searching for and cracking down on these illegal groups, Facebook appeared to rely on users to report them. More:
https://arstechnica.com/information-technology/2019/04/facebook-is-a-popular-venue-for-selling-all-manner-of-cybercrime-services/
What KnowBe4 Customer Say

"Hi Stu, two things: 1. I received the book you sent me. I’ll be sure to read it. Thank you! 2. We did a baseline phishing campaign and Baseline Security Awareness Training. LisaK and I have been working together, she has been very helpful... and patient with me (I’m always rescheduling calls). Our M.O. here is usually slow in adopting and rolling things out. We’ll get there. Thanks for reaching out and asking. I have to say, I really do like everything about KnowBe4, very helpful and informative!"
M.C., Facilities & IT Security Manager



"I am going to be honest, sometimes Knowbe4’s Security Awareness content can be a little too silly or a little too campy for my taste. I recently watched the Inside Man and... I was impressed, and the individuals with whom I shared this content with, which are very hard to please, actually were quite receptive towards the series.

It left them wanting more, the message and themes presented each episode were spot on. I will be looking forward towards a possible season 2. Good Job with this one Knowbe4."
M.J. Network Administrator
The 10 Interesting News Items This Week
    1. Cybercrime Magazine interviewed Kevin Mitnick and me at RSA - VIDEO:
      https://youtu.be/XKQ20XLt-No

    2. Check out the March 2019 KnowBe4 Fresh Content & Features Updates, some powerful new things were released, like uploading your own training content!:
      https://blog.knowbe4.com/knowbe4-fresh-content-features-updates-march-2019

    3. Tim Berners-Lee on the World Wide Web: "it seemed like a good idea at the time":
      https://www.information-age.com/tim-berners-lee-world-wide-web-123481411/

    4. The Cybersecurity 202: Arrest at Mar-a-Lago spotlights simple but pervasive threat of thumb drives:
      https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/04/03/the-cybersecurity-202-arrest-at-mar-a-lago-spotlights-simple-but-pervasive-threat-of-thumb-drives/5ca400e81b326b0f7f38f2f7/?

    5. It’s raining phishes out there. Do you know what your users are doing?:
      https://www.scmagazine.com/home/opinion/executive-insight/its-raining-phishes-out-there-do-you-know-what-your-users-are-doing/

    6. Report: FBI Fails to Promptly Notify Cybercrime Victims:
      https://www.databreachtoday.com/report-fbi-fails-to-promptly-notify-cybercrime-victims-a-12334

    7. I contributed to this new 2019 Legal Report: "AI Is Here To Stay: Are You Prepared?":
      https://blog.knowbe4.com/new-2019-report-ai-is-here-to-stay-are-you-prepared

    8. Pen testers used spear phishing and broke into university networks in just two hours:
      https://www.zdnet.com/article/hackers-broke-into-university-networks-in-just-two-hours/

    9. This new malware is scanning the internet for systems info on valuable targets:
      https://www.zdnet.com/article/this-new-malware-is-scanning-the-internet-for-systems-info-on-valuable-targets/#ftag=RSSbaffb68

    10. Researchers Find Google Play Store Apps Were Actually Government Malware:
      https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv

    11. BONUS: Phishing Malware "Distribution Centre" Uncovered. Major Amazon-esque distribution facility hidden in plain sight:
      https://www.itproportal.com/news/phishing-malware-distribution-centre-uncovered/
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog


New call-to-action

Recent Posts




Get the latest about social engineering

Subscribe to CyberheistNews