CyberheistNews Vol 9 #23 [Heads-Up] Scary Phishing Attack Uses Legal Threats From Law Firm


CyberheistNews Vol 9 #23
[Heads-Up] Scary Phishing Attack Uses Legal Threats From Law Firm

Brian Krebs just posted the following alert: "Some of the most convincing email phishing and malware attacks come disguised as nastygrams from a law firm. Such scams typically notify the recipient that he/she is being sued, and instruct them to review the attached file and respond within a few days — or else."

Here’s a look at a recent phishing campaign that peppered more than 100,000 business email addresses with fake legal threats harboring malware.

On or around May 12, at least two antivirus firms began detecting booby-trapped Microsoft Word documents. The template was part of a phishing kit being traded on the underground, and the user of this kit decides which of the options in brackets actually get used in the phishing message.

Yes, the spelling/grammar is poor and awkward (e.g., the salutation), but so is the overall antivirus detection rate of the attached malicious Word document. This phishing kit included five booby-trapped Microsoft Word docs to choose from, and none of those files are detected as malicious by more than three of the five dozen or so antivirus products that scanned the Word docs on May 22, ten whole days after they were spammed out.

According to both Fortinet and Sophos, the attached Word documents include a trojan that is typically used to drop additional malware on the victim’s computer. Previous detections of this trojan have been associated with ransomware, but the attackers in this case can use the trojan to install malware of their choice.

Also part of the phishing kit was a text document containing some 100,000 business email addresses. If only a tiny fraction of the recipients of this scam were unwary enough to open the attachment, it would still be a nice payday for the phishers.

The law firm domain spoofed in this scam — — now redirects to the Web site for RWC LLC, a legitimate firm based in Connecticut. A woman who answered the phone at RWC said someone had recently called to complain about a phishing scam, but beyond that the firm didn’t have any knowledge of the matter.

As phishing kits go, this one is pretty basic and not terribly customized or convincing. But I could see a kit that tried only slightly harder to get the grammar right and more formally address the recipient doing quite well: Legitimate-looking legal threats have a way of making some people act before they think. Full article with phishing template and links:
[May 30 Live Demo] Identify and Respond to Email Threats Faster With PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic... can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats — and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a new product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us, Thursday, May 30 at 2:00 pm (ET), for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Thursday, May 30 at 2:00 pm (ET)

Save My Spot!
Could Not Make It to KB4-CON 2019? Here's the Best Trip Report!

Gary Miliefsky, Publisher of Cyber Defense Magazine was there for the full CON and wrote an awesome trip report, featured prominently on their site. He started out with: "KnowBe4’s second annual user conference was held at the World Center Marriott in Orlando, Florida and is open to KnowBe4 customers. This was the ideal location and conference for CISOs, security awareness training administrators and other InfoSec professionals who want to get one step ahead of the next threat.

"I enjoyed, like most attendees, the new information shared on upcoming social engineering methods and tactics, some of which were very scary, such as DeepFake, which I’ll tell you more about shortly. They also covered some great topics such as how to create a security culture and get the budget you deserve for your InfoSec initiatives. There was an incredible line up of speakers and I had time to catchup with my friend and favorite InfoSec genius Winn Schwartau. Here is the full Trip Report:
[Watch Now] What Most Computer Security Defenses Are Doing Wrong - and How to Fix It

Most companies have huge gaps in their computer security defenses, and can be compromised at will by a determined hacker. The industry even has a term for it: “Assume Breach”. But it doesn’t have to be that way!

Join Roger A. Grimes, a 30-year computer security consultant and author of 10+ books, for this on-demand webinar where he explores the latest research on what’s wrong with current network defenses and how they got this way. You’ll leave this webinar with a fresh perspective and an action plan to improve the efficiency and effectiveness of your current computer security defenses.

Watch This Webinar Now!
[InfoGraphic] Q1 2019 Top-Clicked Phishing Email Subjects

Every quarter, KnowBe4 reports on the top-clicked phishing emails by subject lines in three categories: Social, General, and 'In the Wild'. The latter category results come from the millions of users that click on our Phish Alert Button to report real phishing emails and allow our team to analyze the results.

Social Media Is Now a Part of Everyday Business

A major trend this quarter is that half of all social media-related subjects looked like they were coming from LinkedIn. We've seen this particular message type trending upward quarter over quarter, which is significant because many LinkedIn users have their accounts tied to their corporate email addresses.

Such a high percentage increases corporate risk of a phishing attack, ransomware breach or other social engineering-related threat. Social media sites in general are a crucial piece in the cybercrime economy. According to recent research from Bromium, cybercriminals earn at least $3.25B per year from social media-enabled cybercrime.

As tempting as it may be to click in emails to see who viewed your profile or who wants to connect, it's more important than ever to think before you click and log in to your account directly.

Hacker's Tap Into Emotions, Causing Panicked Reactions

Aside from social media-related messages, a lot of subject lines contained phrases like de-activation of email, failed delivery and action required to elicit a sense of urgency from the user. These types of attacks are effective because they cause a person to react without thinking logically about the legitimacy of the email. Notices about delivery attempts, Amazon orders, and HR-related messages also prove to be too enticing to ignore for many users.

See the infographic with all top messages in each category for last quarter and share it with your users:
[Live Demo and Q&A] Simulated Phishing and Security Awareness Training

Old-school awareness training does not hack it anymore. Your email filters have an average ~10% failure rate; you need a strong human firewall as your last line of defense.

Join us, Wednesday, June 5 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
  • Identify and respond to email threats faster. Enhance your incident response efforts with the PhishER add-on!
Find out how 25,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, June 5 @ 2:00 pm (ET)

Save My Spot!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Human greatness does not lie in wealth or power, but in character and goodness. People are just people, and all people have faults and shortcomings, but all of us are born with a basic goodness." - Anne Frank, (1929 - 1945)

"Every new day is another chance to change your life." - Rumi, (1207 - 1273)

Thanks for reading CyberheistNews
Security News
Tracking Emotet: From Banking Trojan to Payload Delivery Service

Researchers at Proofpoint believe attacks using the Emotet malware will continue to rise throughout 2019. Proofpoint published research tracking the malware and the threat actor behind it, known as “TA542” or “Mealybug,” and showing how Emotet became one of the most versatile and dangerous threats facing organizations around the world.

When Emotet was first spotted in 2014, it was being used to deliver TA542’s custom-made banking Trojan. Over the years, however, its developers continually added new functionalities. The current version of Emotet is polymorphic, so it can evade signature-based antivirus software. It also has worming capabilities which allow it to spread across a network by itself after an initial system is compromised.

As the malware evolved, TA542’s business model changed as well, and the group switched from delivering its own banking Trojan to using Emotet as a dropper for other types of malware or third-party banking Trojans, including IcedID, Dridex, Trickbot, and a number of others. These Trojans, along with Emotet, are frequently utilized to set up and deploy sophisticated ransomware attacks.

TA542 distributes its malware by sending out millions of phishing emails using a botnet, which is also called Emotet. The attackers craft their emails to impersonate well-known shipping companies, banks, and telecommunications companies. These emails usually consist of brief messages relating to a missed or impending payment and contain malicious attachments or URLs.

The researchers also say that the group last month began using email thread hijacking to trick victims into thinking the phishing emails are replies to their previous emails. The vast majority of Emotet infections can be avoided if users know how to recognize social engineering attacks. New-school security awareness training can reduce the risk to your organization by teaching your employees about the evolving tactics used by attackers. Proofpoint has the story:
Unemployment As Phishing Opportunity

Brazil held its position as the country with the most Internet users attacked by phishing scams in the first quarter of 2019, with nearly 22% of users in the country experiencing an attack, according to Kaspersky Lab. The Brazilian report notes that the attackers are taking advantage of Brazil’s very high unemployment rate to exploit people who are desperate to find a job.

In Q1 2019, a quarter of the country’s workforce was unemployed or underemployed, and 5.2 million Brazilians have been without a job for more than a year.

Kaspersky said the rising number of phishing attacks in the country was partly due to a widespread, sophisticated phishing scam that invited victims to sign up with a large recruitment agency to trick them into installing a banking Trojan.

Reclame Aqui, Brazil’s top consumer protection organization, said that 30% of the complaints it received last quarter involved phony job offers or fraudulent recruiting agencies. One of these scams, which was spread over WhatsApp, succeeded in reaching more than a million people in just one day.

Emilio Simoni from PSafe told the Brazilian Report that the hackers “rely on the fact that many people innocently share these malicious links intending to help people they know who are out of the job market.”

Attackers always try to manipulate people during times of crisis, either by taking advantage of their victims’ good intentions or exploiting their desperation. New-school security awareness training can help your employees avoid falling victim to these contemptible scams. The Brazilian Report has the story:
Spam Emails Use Redirection URLs to Deliver Trickbot

A phishing campaign is employing Google redirection URLs to trick users into downloading the Trickbot banking Trojan, researchers from Trend Micro have found. The malicious emails come in the form of fairly authentic-looking purchase confirmation notices with links for users to track their orders and view their receipts.

When a recipient clicks on one of these links to find out what someone has ordered using their account, they’ll be redirected to an order review page that tells them that their “order will be available in three seconds.”

A .zip file containing the Trickbot downloader will then be installed on their system.

The researchers explain that the use of redirection URLs helps the messages bypass email filters and makes users more likely to trust the links. They add that while this isn’t a new method of disguising phishing links, it’s worth noting that the technique is still effective.

“The way it uses this old trick might be its latest attempt to bypass spam filters using “good URLs” and abuse their services and/or functions,” the researchers write. “Since the URL in the email is that of a well-known service, the cybercriminals behind Trickbot might be betting on ‘masking’ its infection and getting in a few more clicks in the infection chain with a stealthier approach.”

Trickbot itself is a well-known, advanced banking Trojan with a modular structure that allows attackers to customize the malware and add new functionalities and exploits. In addition to stealing a wide variety of sensitive data, Trickbot has self-propagation, persistence, and detection evasion capabilities. It’s also often used as a precursor to devastating targeted ransomware attacks.

Since Trickbot is almost always delivered via emails with malicious links or attachments, infections can be avoided if users are familiar with phishing techniques. New-school security awareness training can provide your employees with in-depth, practical knowledge of these attacks so they can spot them in the real world. Trend Micro has the story:
What KnowBe4 Customers Say

"Stu, I wanted to take a moment and give kudos and appreciation to Christina L and her awesomeness. As you can imagine my position is met with all kinds of vendors wanting to take me somewhere or give me something and sadly very little meaningful partnership level contributions. When I joined my earlier company, they had your product, it wasn’t doing much, it was our fault, and I was honestly on the fence because like most “geeks”, I know what I used to have so I’ll just swap it out.

Christine quickly changed that for me with her engagement and helped me create what I think is one of the best products I can give my business for phishing education. Honestly, without her time and effort working with me on this, I would not have been able to figure it out. With that being said, find a way to create 10 more like her. Her genuine desire to help without the other “stuff” is truly what makes a partnership. I look forward to talking about a 3yr commitment when we come up for renewal."
- G.V., Enterprise Security

"Hi Stu, Thanks for reaching out! I can certainly say we are happy campers with KnowBe4. We’ve already completed our baseline phishing test (phish prone % was a little higher than the industry standard for our size) and we’re in the middle of our first training campaign now. We’ve received nothing but positive feedback from our end users.

You have yourself a great product. We’ve had a couple suggestions for the platform which we brought to our Customer Success Manager’s attention and funny enough most of them were already acknowledged and planned on being integrated in the near future.

Thanks again for touching base with us! Very nice personal touch. I’ve also seen you post on SpiceWorks before and I think it’s great you find time to post among the community.
Best regards." C.J., Network Supervisor
The 10 Interesting News Items This Week
    1. KnowBe4 Focuses on Security Culture with CLTRe Acquisition:

    2. Is Healthcare Sector Better Prepared for Ransomware Attacks?:

    3. Tax delays and canceled home sales: Cyberattacks are taking a big personal toll on people's lives

    4. How to defend against scams: 14 red flags everyone needs to be aware of:

    5. How Would You React? What ‘Killing Eve’ Can Teach Us About Social Engineering:

    6. NSA-Created Malware Wreaking Havoc on American Cities That Did Not Patch Their Systems:

    7. Why You Should Never Use Airport USB Charging Stations:

    8. Rats leave the sinking ship as hackers’ forum gets hacked:

    9. Another WannaCry May Be Coming – Are You Ready?:

    10. Traveler Beware: Your Loyalty Rewards Points And Personal Data Are Catnip For Cyberthieves:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews