CyberheistNews Vol 9 #32 Scam of the Week: Equifax Settlement Phishing


CyberheistNews Vol 9 #32
Scam of the Week: Equifax Settlement Phishing

Well, that did not take long! The Equifax Data Breach resulted in a settlement and those affected have a choice between free credit monitoring or a $125 payment. Internet lowlifes are now targeting victims of the Equifax data breach with phishing attacks and are spoofing Equifax’s settlement page.

Your users should report these as malicious emails. If they fall for it and click on the link, they are likely winding up on a spoofed site that looks very similar to the existing Equifax settlement page.

There, they are going to be exposed to a social engineering scam, trying to steal as much data as possible.

I suggest you send the following to your employees, friends and family. You're welcome to copy/paste/edit:

ALERT: Internet bad guys are now trying to trick you into filing an Equifax claim and get a $125 payment because your personal data was in the Equifax data breach. They are sending phishing attacks that look like they come from Equifax and when you click on the links, you wind up on a fake website that looks like it's Equifax, but will try to steal your personal information. Don't fall for it.

if you want to file a claim, go the legit FTC website and click on the blue "File a Claim" button. The website will check your eligibility for that claim, not everyone's information was compromised. Here is the link to the FTC site:

For KnowBe4 customers, we have a template ready for you so that you can inoculate your users against this attack. It's under Current Events: Equifax: Recent Data Compromise. Blog post with links and screenshots:
Get Your Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments is a continuous problem.

We listened! KCM now has Compliance, Risk, Policy and Vendor Risk Management modules, transforming KCM into a full SaaS GRC platform!

Join us, TODAY, August 6 @ 2:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements and ease your burden when it's time for risk assessments and audits.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: TODAY, August 6 @ 2:00 PM (ET)

Save My Spot!
New Ransomware Strain Spreads Via SMS

A new Android ransomware strain was discovered by ESET researchers. It uses the victim's contact list to spread further using SMS messages that have malicious links.

The new strain, referred to as Android/Filecoder.C, was distributed on adult content-related topics on Reddit and for a short time via the “XDA developers” forum. The hacker behind the malicious code has been posting links to a "sex simulator" app, telling users to try it out. But in reality, the links will download the ransomware to the victim's phone.

Once the app is manually sideloaded, the ransomware will try to spread to other Android devices. It'll do this by going through the victim's contact list, and sending SMS messages to all the phone numbers it can find. Each message will contain a link to download the sex simulator app.

The ESET researcher who led the investigation, Lukáš Štefanko provided further insight into the ransomware campaign the company discovered, saying: "To maximize its reach, the ransomware has the 42 language versions of the message template," To trick unsuspecting victims, the SMS message will claim the contact's personal photos have been uploaded to the sex simulator app.

Continued with screenshots at the KnowBe4 blog:
See Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us, Wednesday, August 14 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 27,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, August 14 @ 2:00 pm (ET)

Save My Spot!
Iranian Hacker Group APT34 Use New ‘Tonedeaf’ Malware Over LinkedIn in Latest Phishing Campaign

Targeting several key industries, this new campaign likely seeks to aid the Iranian government with information that could be of use to further Iran’s economic and security goals.

This month, security vendor FireEye has identified a new phishing campaign targeting organizations in Oil and Gas, Energy and Utilities, and Government sectors, leveraging LinkedIn as the medium to both establish contact and deliver malware. The FireEye Labs Advanced Reverse Engineering (FLARE) released details on this campaign by Iranian-nexus threat actor APT34 in which the following takes place:
  • The target victim is contacted via LinkedIn by a user who claims to be “Research Staff at University of Cambridge”
  • A solicitation for a job is communicated to the victim and is asked to provide a resume, all via LinkedIn messaging
  • The victim is then asked to fill out a document as part of the process and a link is provided using the somewhat convincing domain
  • Once downloaded and opened, the document runs VBA script to create a file system.doc that is eventually launched upon closing the initial download
  • The Tonedeaf malware is a backdoor that communicates via HTTPS or DNS and can be used to collect system information, upload files, and run commands
Continued at the KnowBe4 blog:
How to Prevent 81% of Phishing Attacks From Sailing Right Into Your Inbox With DMARC

Only ~20% of companies use DMARC, SPF, and DKIM, global anti-domain-spoofing standards, which could significantly cut down on phishing attacks. But even when they are enabled and your domain is more secure, 81% of phishing attacks still continue to sail right through to the end-user.

In this webinar, Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will teach you how to enable DMARC, SPF, DKIM the right way! Then, learn the six reasons why phishing still might get through to your inbox and what you can do to maximize your defenses.

What you’ll learn:
  • How to enable DMARC, SPF, and DKIM
  • Common configuration mistakes
  • How to best configure DMARC and other defenses to fight phishing
  • Techniques to empower your users to identify and avoid phishing attempts that make it through your surface-level defense
Date/Time: Thursday, August 22 @ 2:00 pm (ET)

Save My Spot!
Why Is Windows Defender the World's No. 1 Antivirus With More Than Half a Billion EndPoints?

Having been inside the AntiVirus software industry for quite a while, and building an AV tool from the ground up, when I saw Redmond start acquiring several small AV companies in 2008 and 2009 I knew the writing was on the wall: AV will be free and part of the OS.

Over the last few years I have been saying more and more frequently that upgrading to Win10 and using Defender is a perfectly acceptable endpoint security strategy. No longer spending money on third party AV frees up your budget for the last line of defense you actually need: new-school security awareness training.

Microsoft Is Uniquely Positioned to Deliver the No. 1 Antivirus

You may not know this, but Defender is now the largest in the world, it's the primary AV on more than half a billion devices. Having this many machines it uses as sensors gives it a huge advantage and they argue that their use of hardened machine-learning detection models succeed where other antivirus products fail. Redmond's strong "monotonic" machine learning model is resistant to attackers who try to confuse the model with so-called "clean" signals.

Here is one example. In June, Defender was able to block Astorath fileless malware that was trying to evade detection by using built-in Windows infrastructure like the Windows Management Instrumentation Command-line (WMIC).

Another strong technology is Defender's "runtime attestation" feature which can block kernel-based token-swap attacks which can allow operating another user account under different system security context.

Continued at the KnowBe4 blog:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Let the refining and improving of your own life keep you so busy that you have little time to criticize others." - H. Jackson Brown, Jr., Author

"Be faithful to that which exists within yourself." - Andre Gide, Writer

Thanks for reading CyberheistNews
Security News
Office 365 Administrators Are the Target of the Latest String of Phishing Attacks

Using a mix of fake admin alerts and a spoofed logon page, this newest campaign leverages IT’s urgency in fixing critical issues before they impact users.

Cybercriminals that use phishing as their attack of choice know two things make a successful campaign: context and urgency. In this latest attack covered over at Bleeping Computer, it looks like scammers have figured out the perfect angle to include both.

Using fake Office 365 alerts citing expiration of licenses or an issue that requires investigation, the bad guys are hoping to take advantage of IT’s desire to make certain Office 365 is available and licensed. With a substantial percentage of all businesses using Office 365, this tactic makes a lot of sense – the phishing email is applicable to as much as half of all recipients (assuming they are all IT pros), and the alert aspect creates the urgency needed to trick IT into clicking the link.

IT pros are taken to an Azure-based windows (dot) net site that mimics Office 365’s logon that even uses an SSL certificate published by Microsoft.

Continued at the KnowBe4 Blog with links, screenshots and proposed mitigations:
5 Things You Need to Know About Facebook’s $5 Billion Fine

By Lecio De Paula, KnowBe4's Director of Data Privacy. On July 24, 2019, it was announced that Facebook, Inc. will pay a 5 billion dollar penalty to the U.S. Federal Trade Commission (FTC) and will be required to revamp their whole privacy and security program. Previously, the largest fine ever imposed by the FTC was $275 million for a privacy enforcement action.

Here are five quick facts about the settlement:
    • The $5 billion fine is approximately 50 times greater than the recent fine imposed by the U.K. Information Commissioner's Office to Marriott International under the European Union’s General Data Protection Regulation (GDPR).
    • Facebook must now be more transparent about its use of facial recognition and make sure they obtain the appropriate consent from users before doing so.
    • Facebook and its group companies (Whatsapp, Instagram) are required to conduct privacy and security review of every new product or service that is implemented (aka privacy-by-design).
    • This fine stems from Facebook’s violations of a 2012 settlement order with the FTC about making misrepresentations about how they handle personal data.

    • Facebook is now required to establish, implement, and maintain a comprehensive security and privacy program.
Continued at the KnowBe4 blog:
Freight Forwarding Email Scams Are Business Killers

The Australian Cyber Security Centre (ACSC) has warned that multiple Australian IT suppliers have permanently closed their doors after falling victim to procurement scams, CRN reports. These scams involve attackers spoofing emails and domains to pose as real employees of universities or corporations. And it doesn't only happen down under, this is a worldwide problem.

The criminals send fraudulent requests for computer equipment to small and medium-sized Australian IT businesses, and ask to purchase the items with 30-day payment terms. The victim company agrees, and sends the products to a delivery company in Australia.

Next, these fraudsters either try to pay the delivery company with stolen credit cards, or they attempt to ship the products again with payment terms. The hardware is then shipped overseas, at which point it’s usually lost for good. The victim companies don’t realize they’ve been duped until it’s too late.

According to the ACSC, companies in Australia are losing an average of between $30,000 and $100,000 to freight forwarding email scams, with one incident costing a business $170,000. These scams center around theft of physical property rather than direct money transfers, and they often involve fooling multiple people.

The fact that both the IT suppliers and the delivery companies are scammed in the same operation shows that the criminals possess solid social engineering skills and a good grasp of business processes. And it also answers the question, how do you monetize a stolen credit card?

Organizations need to educate their employees and implement proper policies to prevent this type of fraud from taking place. New-school security awareness training can make your employees mindful of social engineering tactics so that they’ll be primed to recognize red flags. CRN has the story:
Some Cool KnowBe4 News

Today we announced PhishML, a new machine-learning module within the PhishER platform to help security professionals identify and assess suspicious messages.

PhishML analyzes every message coming into the PhishER platform and gives security professionals the information they need to make prioritization easier, faster and more accurate.

This machine-learning module constantly learns based on messages that are tagged by security professionals in the PhishER user community. PhishML will assign tags along with confidence levels using the data from all user-reported email messages.

By using the default settings, PhishML will tag more than half of reported messages and has a current prediction accuracy of more than 95%.

Approximately 10 percent of suspicious email messages are getting through spam filters. That means users are the last line of defense and they need to be aware of what to look out for when it comes to phishing and other social engineering attacks.

The benefits of the PhishML module coupled with our robust PhishER platform include making the identification of real threats a much quicker and more accurate process. PhishML is available to KnowBe4’s PhishER customers at no additional cost. For more details on PhishER's new machine learning module:
The 10 Interesting News Items This Week
    1. Scam Alert: No, WhatsApp isn’t giving you 1,000GB free data:

    2. Dear hackers: If you try to pwn a website for phishing, make sure it's not the personal domain of a senior Akamai security researcher:

    3. BlueKeep Exploits Appear as Security Firms Continue to Worry About Cyberattack:

    4. Why Is Windows Defender the World's No. 1 Antivirus With More Than Half a Billion EndPoints?

    5. GermanWiper Ransomware Hits Germany Hard, Destroys Files but Asks for a Ransom

    6. [Krebs on Security] What We Can Learn From the Capital One Hack:

    7. Capital One Breach Does Not Mean the Cloud Is Insecure:

    8. The Equifax Settlement: "Nope You’re Not Getting $125 if You Picked Door Number 1". Discuss at HackBusters:

    9. Researchers Replace IP Camera Feed With Fake Footage:

    10. Making the case: How to get the board to invest in government cybersecurity:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews