CyberheistNews Vol 9 #16 The City of Tallahassee Lost Half a Million Dollars in an Insidious Payroll Attack

CyberheistNews Vol 9 #16
The City of Tallahassee Lost Half a Million Dollars in an Insidious Payroll Attack

Hackers stole approximately 500K from the city of Tallahassee, Florida, by diverting city employees’ paychecks, according to USA Today. The attackers hacked a third-party vendor that provides the city’s payroll services, and then redirected direct deposit payments to attacker-controlled accounts.

Tallahassee officials only learned of the attack after they were contacted by the city’s bank. The incident is still under investigation, but city spokeswoman Alison Faris said the attack is suspected to have originated outside of the US.

City officials said attackers try to compromise the city’s defenses every day, and last month a malicious Dropbox link was sent out from the email account of the city manager. Officials don’t believe this attack was related to the payroll theft, although IT experts noted that this type of phishing attack is often a precursor to more advanced attacks.

“Usually the way they get in is through email," Blake Dowling, CEO of Aegis Business Technologies, told USA Today. “Those happen all the time. If you’re not trained to be on the lookout for something, about how that may look or feel or the implications, it can bring your city to a crawl.”

Even secure networks are vulnerable to employees making a simple mistake and accidentally opening the door to an attacker. Supply-chain attacks like this one can have far-reaching impacts that can cripple a vendor’s reputation. New-school security awareness training can help your employees defend themselves against phishing attacks. USA Today has the story:
Live Webinar: What Keeps IT Pros Like You up at Night

You try to protect your organization the best you can, but you’re being pulled in a million directions, attempting to secure every possible attack vector. The problem is that cybercriminals are constantly evolving their tradecraft, becoming more daring, sophisticated, and successful at cyberattacks and making it increasingly difficult for IT to keep the bad guys out.

With so many possible issues for you to address, what do other IT pros like you really have a handle on and what’s keeping them lying awake at night?

In this highly informative webcast, join cybersecurity expert and Microsoft MVP, Nick Cavalancia, and Erich Kron, KnowBe4's Security Awareness Advocate, as they discuss the results of KnowBe4’s 2019 What Keeps You up at Night Report.

Topics will include:
  • Attack Types
  • Security Initiatives
  • Compliance vs. Security
  • User-Related Issues
  • Resource Issues
  • Executive-Level Concerns
Date/Time: This Wednesday, April 17 at 2:00 PM ET

Save Your Spot:
Reuters: "Cybersecurity Firm Cofense Says Pamplona to Sell Stake After U.S. Probe"

(Reuters) - U.S. cybersecurity firm Cofense Inc said on Wednesday that buyout firm Pamplona Capital Management is seeking to sell its stake in the company following a year-long probe by U.S. national security regulators.

Pamplona declined to comment.

The pressure to divest comes as Washington increases scrutiny on foreign ownership of U.S. technology companies, including by China, and is paying closer attention to deals that could compromise the personal data of U.S. citizens.

The U.S. intelligence community’s 2019 Worldwide Threat Assessment report cited Russia’s efforts to interfere in the U.S. political system. Pamplona bought a minority stake in Cofense, which serves major corporations, in February 2018, when the company was known as PhishMe. Pamplona’s funds been partly backed by Russian billionaire Mikhail Fridman, who was on a February 2018 “oligarchs’ list” published by the U.S. Treasury Department, sources familiar with the matter said.

The Committee for Foreign Investment in the United States (CFIUS), which reviews deals for potential security risks, first contacted the company with questions about a month later, Cofense said in a one-page statement, providing a rare look at how CFIUS interacts with companies it scrutinizes. The committee spent the next several months investigating Pamplona’s stake in Cofense, it added. More detail, background and links to WSJ article:
Find out How Many Weak Passwords Are in Your Network for a Chance to Win a Nintendo Switch

Are your users' passwords…P@ssw0rd? Verizon's Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords. Employees are the weakest link in your network security.

KnowBe4's Weak Password Test checks your Active Directory for 10 different types of weak password related threats and reports any fails so that you can take action. Plus if you're in the US or Canada, you’ll be entered for a chance to win a Nintendo Switch!*

This will take you 5 minutes and may give you some insights you never expected!

Find Your Weak Passwords:

* Terms and conditions apply.
FireEye: 1 Out Of 101 Emails Are Malicious

FireEye recently reiterated their analysis that 1 out of 101 emails are malicious and email continues to be the #1 threat vector for cyber attacks: FireEye continues to detect an average of over 14,000 emails with malicious attachments or URLs per customer per month that get past the filters."

That's really big numbers! Remember the famous Bruce Schneier quote: “Security is a process not a product.” Part of that process is creating and maintaining a human firewall to manage the ongoing problem of social engineering.
Identify and Respond to Email Threats Faster With PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic... can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a new product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us, Wednesday, April 24th at 2:00 pm (ET), for a live 30-minute demo of the new PhishER platform. With PhishER you can:
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team.

Date/Time: Wednesday, April 24th at 2:00 pm (ET)

Save my Spot!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Nothing is easier than self-deceit. For what each man wishes, that he also believes to be true."
- Demosthenes, Statesman (384 - 322 BC)

"The best way out is always through." - Robert Frost, Poet (1874 – 1963)

Thanks for reading CyberheistNews
Security News
Ottawa City Treasurer Sends 100K Dollars to Fraudsters in Email Phishing Scam

The treasurer of the city of Ottawa, Marian Simulik, fell for a business email compromise (BEC) scam and sent 100K to a scammer, the city’s auditor general revealed this week. Simulik received an email last July from a fraudster posing as the city manager.

The email asked her to wire the money to an IT supplier in the US. Ottawa’s website was undergoing an overhaul at the time, and Simulik assumed the request was related to this. She researched the IT supplier and conversed with the attacker via email before sending the money to a bank account in the US.

Simulik realized her error several days later, when she received another bogus request for 150K. This email arrived when she was at a council meeting with the city manager, so she asked him personally about the request. The manager knew nothing about the matter, and Simulik told him about the money transfer that took place days earlier.

Simulik was apparently mortified that she fell for the scam. "That I should be the target and victim of this sophisticated attack has affected me deeply both professionally and personally," she said.

Ottawa’s auditor general also revealed that the treasurer’s office had been targeted by a different BEC attack several months earlier, when an email purporting to come from the CEO of the city’s public library requested a money transfer. This incident was identified as a scam before any money was sent, but treasury staff failed to report the event to security personnel.

In response to these incidents, the city has implemented measures to prevent the same employee from creating and approving a money transfer. It also plans to require mandatory awareness training for city employees. New-school security awareness training can help your employees identify these scams. And that kind of training can help your users, your last line of defense, understand and follow sound policies with respect to important matters like fund transfers. CBC has the story:
Get Ready for the First Wave of AI Malware

This is an excerpt from an article in SecurityWeek by Gunter Ollmann, who is currently the CSO of Microsoft’s Cloud and AI Security division. He is a seasoned information security leader.

With the proliferation of artificial intelligence (AI) technology shaping the digital world at an increasing pace, Gunter Ollmann expects that the first examples of AI-driven malware will emerge in the next two to three years. He outlines 6 different capabilities of AI malware that should be relatively easy to develop:
  • Automated compromise of systems and networks that does not require frequent communications between the malware and the command-and-control (C&C) server of the attacker.
  • Identification of the most valuable data on compromised systems through data labeling and classification, which will involve machine learning (ML).
  • Employment of conversational AI to participate in email and chat communications on compromised devices while masquerading as targeted users in order to socially engineer coworkers of victims.
  • Use of AI-driven speech to text translation in order to capture valuable information from the environment that can be recorded with the microphone of a compromised machine.
  • Use of embedded cognitive AI in order to determine various characteristics of victims and deploy payloads only if victims meet certain criteria.
  • Creation of a “bio-profile” of users based on their behavioral characteristics in order to bypass advanced behavioral monitoring systems.
Read more:
Pro Tip: Social Security Numbers Can’t Be “Suspended”

A popular robocall scam is telling people that their Social Security numbers have been “suspended,” and then asking them to call back to speak a government agent about the issue, BleepingComputer reports. Some of these scams even threaten to issue an arrest warrant if the victim doesn’t respond.

If a victim calls back, the scammer will attempt to trick them into giving up sensitive personal information. The Federal Trade Commission (FTC) stresses that Social Security numbers can’t be suspended, and the Social Security Administration will never threaten to arrest anyone.

“Thing is, Social Security numbers do not get suspended,” the FTC states. “This is just a variation of a government impostor scam that’s after your SSN, bank account number, or other personal information. In this variation of the scheme, the caller pretends to be protecting you from a scam while he’s trying to lure you into one.”

Robocall scams are very efficient for attackers, because they know that anyone who calls their number is probably gullible enough to be manipulated further. These scams use fear to make people think it’s worth following up just to be sure. BleepingComputer has the story:
What's the Best Name? ThreadJacking or Man-in-the-Inbox Attacks?

We are seeing a new type of attack popping up more and more. Bad guys send a phishing attack and steal the credentials of your employee. But they stay under the radar and lurk for a while to understand the email traffic and the people the compromised account regularly talks to.

Next, they reply to an existing thread with a socially engineered message and attach a malicious attachment that will compromise the workstation of the recipient if they open it up.

This is a type of attack that's hard to defend against, because the email comes from a trusted source, and software layers like spam filters and DMARC do not protect against this either. You might hope that your endpoint security solution catches it, but that's not at all guaranteed either. The ideal scenario is that your employee grabs the phone and asks the sender about the attachment but we all know this does not always happen.

To catch this type of an attack, your employees need to be hyper vigilant and understand that this is something that's possible and they might get one of these attacks.

Now, here is the question:

KnowBe4 would be able to generate this type of simulated attack, but it has a potential drawback we'd like your feedback on, i.e. the amount of help desk and disruption it would cause if employees thought other employee's email account was compromised.

Is this a feature you'd like to see? Or is might this cause too much blowback? Let us know! It's a 3-question, 60-second survey. Thanks in advance! Here is the link to SurveyMonkey:
What KnowBe4 Customer Say

"We love the system, its features and the CSM-guided process. I really, really wish other companies would on-board customers to their products the way you do. Hunter is fantastic, too. Not once did I ask a question that he didn’t have a ready, and correct, answer for. Just. Wow. Dude. Quote me!" Regards, W.P, Managing Consultant

"Hi Stu, My apologies for the delay in responding to this email. I have a small team and wear many hats. We are thrilled with the KnowBe4 product. We have completed our baseline phishing campaign and a second one. Our phish-prone percentage dropped from 24.3% to 6.8% after only one campaign. More importantly, we had a good percentage of our users report the email through the Phish Alert button.

We have sent out an initial security awareness training campaign with two videos and roughly 90% of our staff has watched them. We also sent out two additional training campaigns for one-time and multiple time clickers. The feedback has been overwhelmingly positive around the training.

I believe our staff is more engaged and more aware and this will continue thank you to the KnowBe4 product. With Gratitude, S.S. CIO/VP of IT
The 10 Interesting News Items This Week
    1. [VIDEO] Explaining Attacking Phishing With SOAR and Security Culture:

    2. Hey Secret Service: Don't Plug Suspect USB Sticks into Random Computers:

    3. Tampa Bay Tech Leaders Tech Reading List and Podcast Recommendations:

    4. Half of security pros would rather walk barefoot in a public restroom than use public Wi-Fi:

    5. Russian MPs Approve Controversial Bill Restricting Internet:

    6. A quarter of phishing emails bypass Office 365 security:

    7. Sextortion Scammers Change Tactics to Bypass Spam Protection:

    8. It's Not Just You They're After -- It's Your Supply Chain Too:

    9. IBM Study: More Than Half of Organizations with Cybersecurity Incident Response Plans Fail to Test Them:

    10. New Cyberattack by Group Behind TRITON/TRISIS Reported:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • MOVIE of the month: BREACH. FBI upstart Eric O'Neill enters into a power game with his boss, Robert Hanssen, an agent who was put on trial for selling secrets to the Soviet Union. This is a great movie based on a true story:

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews