CyberheistNews Vol 9 #26 [Heads-up] The U.S. Launched A Cyber Attack On Iran, And We're Expecting Spear Phishing Strike Backs

CyberheistNews Vol 9 #26
[Heads-up] The U.S. Launched A Cyber Attack On Iran, And We're Expecting Spear Phishing Strike Backs

The tension in the Middle-East apparently prompted a game-changing move by the U.S. President. Washington Post sources say exactly 10 years after Stuxnet, the President approved a cyberattack that took down Iranian missile control computers on the night of June 20th. The exact impact of the Cyber Command operation isn't clear, but it was described as "crippling".

The Wall Street Journal reported that Iran may attempt to retaliate with spear-phishing strike back attacks against the U.S. if the tension in the Middle East continues to escalate.

Researchers at FireEye and CrowsStrike have spotted phishing campaigns linked to a known Iranian hacking group that possesses powerful, destructive tools like the Shamoon disk-wiper that was recently used to attack Saudi Government targets and literally destroyed 35,000 machines at Saudi Aramco in 2012.

The Department of Homeland Security's cyber-security agency is warning of increased cyber-activity from Iranian hackers, and urging US companies to take protective measures against these hacker groups' most common practices -- the use of data-wiping malware, credential stuffing attacks, password spraying, and spear-phishing. The warning was published in a tweet by the Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs.

CrowdStrike said the targeting appeared focused on U.S. government and energy sector entities, including oil and gas, and that it had seen email lures posing as messages from the White House’s Executive Office of the President.

Adam Meyers, CrowdStrike’s vice president of intelligence, said “They are going to potentially look for ways to retaliate in the event that there is an attack, and disrupting the global energy market would fall well within the area they see as appropriate."

Iranian hackers are seen as having a more limited ability to penetrate American critical infrastructure networks than Russia or China, a U.S. intelligence official said. But U.S. national security agencies are concerned, nonetheless, that Iran may seek to disrupt the power grid or other critical infrastructure if the hostilities persist, the official said.

IT pros did not sign up for this, but they are finding themselves in the trenches of a cyberwar that seems to be heating up consistently. Most bad actors go for the most available attack surface—your employees—with social engineering attacks. Make sure you step them through new-school security awareness training. Post with links:
USD 600,000 Loss Caused by Florida City Police Dept User Who Falls for Ransomware Attack

It was all over the press, and even made it in the New York Times: "The leaders of Riviera Beach, Fla., looking weary, met quietly this week for an extraordinary vote to pay nearly $600,000 in ransom to hackers who paralyzed the city’s computer systems.

"Riviera Beach, a small city of about 35,000 people just north of West Palm Beach, became the latest government to be crippled by ransomware attacks that have successfully extorted municipalities and forced them to dig into public coffers to restore their networks.

Even large cities, however, have had to pay smaller ransoms than Riviera Beach. On Monday, the City Council unanimously agreed to have its insurance carrier pay the hackers 65 Bitcoin, a hard-to-trace digital currency, amounting to about $592,000. By making the payment, the City Council hopes to regain access to data encrypted in the cyberattack three weeks ago, though there is no guarantee the hackers will release the data once payment is received.

A Police Department Employee Opened an Infected Email Attachment

The Riviera Beach attack began on May 29 after a police department employee opened an infected email attachment, The Palm Beach Post reported. Down went all of the city’s online systems, including email and some phones, as well as water utility pump stations. Utility payments could not be accepted other than in person or by snail mail — and even then, only by check or cash."

Don't let this happen to you. Step your users through new-school security awareness training ASAP.
[NEW Report] 2019 Phishing by Industry Benchmarking

As a security leader, you’re faced with a tough choice.

Even as you increase your budget for sophisticated security software, your exposure to cybercrime keeps going up!

IT security seems to be a race between effective technology and clever attack methods. However, there’s an often-overlooked security layer that can significantly reduce your organization’s attack surface: New-school security awareness training.

The 2019 study analyzed a data set of nearly nine million users across 18,000 organizations with over 20 million simulated phishing security tests. In this report, research from KnowBe4 highlights employee Phish-prone™ percentages by industry, revealing at-risk users that are susceptible to phishing or social engineering attacks. Taking it a step further, the research also reveals radical drops in careless clicking after 90 days and 12 months of new-school security awareness training.

Find out How Your Organization Compares to Your Peers of Similar Size!

Download this new whitepaper now:
“File Deletion” Alert Becomes the Latest Scam to Compromise Office 365 Credentials

Attackers use simple cause for concern as the basis of a scam intent on tricking victims into offering up their Office 365 credentials.

A very official-looking email is making the rounds, taking advantage of the approximately 50% of companies today using Office 365. And it’s not surprising, as Microsoft is the most impersonated brand in phishing attacks today. According to a recent article at Bleeping Computer, this attack takes advantage of the victim’s worry about files being deleted. Creating a sense of urgency is a common tactic in phishing emails, as it is sufficient to get recipients to move into action.

Upon clicking the email, users are presented with a similarly realistic-looking Office 365 logon page:

Note the URL in the image above - while looking like the real thing, it's most-definitely not from Microsoft, but does use a context-signaling domain of Scams like this seek to capture user credentials to either be sold on the Dark Web or to further a more complex fraud or data theft attack on an organization.

Users should be encouraged to scrutinize emails and logon pages for URLs used to ensure the page being used for authentication to Office 365 is, in fact, on the domain. Organizations putting users through continual security awareness training already have this attack method covered, effectively preparing users to spot fake emails well before they can be fooled by look-alike logon pages. Full post with screenshots:
[Live Demo] Identify and Respond to Email Threats Faster With PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic... can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us, TOMORROW, June 25 @ 2:00 pm (ET), for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, June 25 @ 2:00 pm (ET)

Save My Spot!
UK Forensic Crime Labs Shut Down Due to Ransomware Attack

Every police force across England and Wales has been forced to prioritize evidence for forensic testing following a criminal cyber attack affecting one of the primary forensic service providers to UK policing.

The National Police Chief's Council (NPCC) has temporarily suspended all law enforcement submissions to the labs, following a ransomware attack which has caused disruption to many of its IT systems in several countries.

The NPCC said it is working alongside partners in the Association of Police and Crime Commissioners (APCC) to safeguard UK policing and the criminal justice system from the impact of the attack. It said it is too early to "fully quantify the impact". Full story and links here:
See Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 10-15% failure rate; you need a strong human firewall as your last line of defense.

Join us on Wednesday, July 10 @ 2:00 pm (ET), for a live demonstration of KnowBe4’s new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 26,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, July 10 @ 2:00 pm (ET)

Save My Spot!

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Who in the world am I? Ah, that's the great puzzle." - Lewis Carroll, Writer (1832 - 1898)

"Reflect upon your present blessings - of which every man has many - not on your past misfortunes, of which all men have some." - Charles Dickens, Writer (1812 - 1870)

Thanks for reading CyberheistNews
Security News
Average Cost of Ransomware Attack Is 900K

Ransomware attacks still pose a grave and growing threat to organizations in every industry, according to Threatpost. Verizon’s most recent Data Breach Investigations Report showed that ransomware attacks still account for nearly a quarter of reported malware attacks, and a SentinelOne report found that the average total cost of each of these attacks is $900,000.

Just this past week, the city council of Riviera Beach, Florida, voted to pay a 600K ransom to get the city’s systems back online after three weeks of downtime.

It’s not clear yet if Riviera Beach will actually get its files back after paying, but it’s not hard to see why ransomware victims might want to pay up. The cities of Baltimore and Atlanta refused to cave to attackers’ demands, and the requested ransom payments now appear meager compared to the tens of millions of dollars both cities are paying in recovery costs.

Paying ransom is a controversial subject, and each case is different. Companies have gone out of business due to ransomware attacks, and in the case of hospitals, human lives could be at stake. Brett Callow, spokesperson for Emsisoft, told Threatpost that companies may decide to roll the dice by paying because they don’t see any alternative.

“It’s easy to say that companies should never pay, but it’s also quite unrealistic,” said Callow. “The reality is that making payment may be the only option that will enable a company to become operational again within a reasonable period of time. It’s very much a case of ethics versus business necessity.”

Regardless of the circumstances, however, paying ransom inevitably encourages more attacks against increasingly sensitive targets, as attackers learn which targets are most likely to make victims pay up. Reputational damage is also worth taking into account.

Shlomie Liberow, technical program manager at HackerOne, points out that the cheapest and smartest option is to implement policies and protections to prevent ransomware from getting onto a system in the first place.

“Difficult as it may seem to prevent these attacks, when it comes to ransomware, prevention is always better than cure,” Liberow told Threatpost. “This means ensuring all systems are up to date with the latest patches and that there are no security vulnerabilities or weaknesses which could leave an organization exposed to attackers.”

Almost all ransomware attacks begin with human error. The attacks against Baltimore and Riviera Beach were due to an employee falling for a phishing email. In Atlanta’s case, the attackers brute-forced weak passwords.

New-school security awareness training can enable your employees to resist social engineering and teach them to implement security best practices. Threatpost has the story:
SaaS, Webmail Phishing Surpasses Payment Phishing

Phishing attacks targeting software-as-a-service and webmail have overtaken payment phishing for the first time, according to the Anti-Phishing Working Group (APWG).

HostReview reports on the AWPG’s most recent quarterly report on phishing trends, which found that SaaS and webmail phishing made up 36% of phishing attacks in Q1 2019, up from 30% in the previous quarter. Meanwhile, attacks targeting payment services fell from 33% in Q4 2018 to 27% in Q1 2019.

Greg Aaron, a Senior Research Fellow with APWG, commented that these services are appealing to attackers because they offer valuable information that can lead to further attacks.

“Phishers are interested in stealing logins to SaaS sites because they yield financial data and also personnel data, which can be leveraged for spear-phishing,” he said.

Another finding in the report is that phishing sites using HTTPS have reached a record high, with 58% of phishing sites possessing SSL certificates. John LaCour, CTO of PhishLabs, says the increase is due to the fact that these certificates are now trivial to obtain, combined with the fact that most browsers now alert users when they visit a site that doesn’t use HTTPS.

“In Q1 2019, 58 percent of phishing sites were using SSL certificates, a significant increase from the prior quarter where 46 percent were using certificates,” said LaCour. “There are two reasons we see more. Attackers can easily create free DV (Domain Validated) certificates, and more web sites are using SSL in general.

More web sites are using SSL because browser warning users when SSL is not used. And most phishing is hosted on hacked, legitimate sites.” APWG’s report shows clear trends in phishing targeting and methodology, which correlate with the increased use of certain technologies. New-school security awareness training can help your employees stay up-to-date on these trends so they know what to watch out for as they go about their jobs. HostReview has the story:
Bogus Emails: 3.4 Billion Are Sent Every Day...

Research from Valimail shows that at least 3.4 billion phony emails are sent every day, Help Net Security reports. Despite this staggering number, most organizations still aren’t enforcing email authentication protocols like DMARC.

The research found that nearly 80% of all email inboxes have DMARC enabled, but only 20% of these are configured to take action against spoofed emails. The US Federal government and tech companies account for a large portion of the organizations with DMARC enforcement policies. In most industries, the enforcement rate is lower than 10%.

The reason for this gap is primarily due to the fact that DMARC can be difficult to configure properly, particularly for large organizations. DMARC is initially set up in monitoring mode, so domains receive reports about spoofed emails, but they allow the messages to continue unperturbed. This mode is meant to help administrators, but it doesn’t do anything to prevent fraudulent emails from ending up in people’s inboxes.

In order for DMARC to actually have an effect, organizations need to enact enforcement policies that determine what to do with spoofed emails. The domain can then inform mail servers to discard these emails or place them in the recipient’s spam folder. Most organizations run into difficulties at this stage, and end up leaving the protocol in monitoring mode indefinitely.

DMARC is a highly recommended layer of defense for every organization, and it’s well worth the effort to get it working properly. However, it’s not bulletproof against determined attackers. New-school security awareness training can help your employees work with DMARC, while teaching them how to spot the phishing emails that slip through the cracks. Help Net Security has the story:
Life's Savings Lost to Social Engineering

Harvard University faculty member Christine Lu lost more than $200,000 to scammers in just four days, NBC10 Boston reports. Criminals spoofed the phone number they used to appear as though they were the Massachusetts State Police, and then called to tell Lu that her identity had been stolen. They instructed her to wire her money to an account controlled by the police for safekeeping while they issued her a new Social Security number.

“I was under the impression that if I don’t cooperate my welfare would be in danger,” Lu told NBC10.

The scammers told Lu to tell the bank that the transactions were for “family support,” and Lu complied. As a result, the transactions weren’t flagged as suspicious. Jon Skarin from the Massachusetts Bankers Association told NBC10 that bank tellers are trained to spot suspicious activity, but in the end, it’s up to the customer.

“If the customer didn’t give the bank accurate information as to why they were doing this, it is ultimately the customer’s money and their decision as to whether or not they want to initiate a particular transaction, and the banks have to be careful that they aren’t doing something that could negatively impact the consumer if the transaction is legitimate,” said Skarin.

Scammers know how to get around the safeguards that are set up to prevent this type of thing from happening. In this case, they knew that “family support would be unlikely to trip an alarm, and besides they induced the victim herself to make the transfer.

Wire fraud is particularly devastating, since the victim typically has no legal recourse. Anyone, including the well-educated and presumably well-informed, can fall victim to social engineering, so focus the blame on the attacker and not the victim, but do be prepared. New-school security awareness training can teach your employees how to recognize and resist this type of manipulation. NBC 10 Boston has the story:
What KnowBe4 Customers Say

This is pretty cool! One of our customers does an annual “Phishy Awards” for his users. Nice idea other customers might like too:

[NEW FEATURES] Branded Certificates and End User Surveys

We are excited to announce the release of two new features in the KnowBe4 platform. Branded Certificates and End User Training Surveys! Here is the blog post:

Brand New Awareness Posters - Check them out!

Find them all here. Free:
The 10 Interesting News Items This Week
    1. I'm honored to be in the 2019 Glassdoor Top CEOs:,16.htm

    2. AMCA Files for Bankruptcy Following Data Breach:

    3. Artificial Intelligence Will Soon Make Ransomware Attacks Even Scarier:

    4. The U.S. Loses Over $1.5 Trillion in a Decade of Data Breaches:

    5. Inside the FBI's Fight Against Cybercrime:

    6. 3 technologies that could define the next decade of cybersecurity:

    7. Welcome to the Next Generation of Corporate Phishing Scams:

    8. Ransomware gang hacks MSPs to deploy ransomware on customer systems:

    9. Email scammers use corporate consultant sites to find victims:

    10. State cyber-attack poses big danger for UK banks: Bank of England:

    11. BONUS: Robocalls are overwhelming hospitals and patients, threatening a new kind of health crisis:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • Twitter: "I haven’t tweeted a stabby thing in a while but... I’ve discovered group policy enforcing a TLS setting that absolutely fails sec audit but instead of submitting change request, sys admins have just been hacking the setting an hour before audits so they’d pass. FOR THREE YEARS":

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews