CyberheistNews Vol 9 #33 Bad Guys Exploit CapitalOne Breach to Push Backdoor Trojan

CyberheistNews Vol 9 #33
Bad Guys Exploit CapitalOne Breach to Push Backdoor Trojan

The bad guys are now exploiting news of the CapitalOne breach to push a malicious backdoor trojan via a phishing email claiming to offer a Windows Security Update.

Clicking the link in that email downloads a file named KB3085604 (dot) exe — obviously named to resemble Microsoft patch files and security updates. Detection of this file by the anti-malware engines represented on VirusTotal is poor, with only nine flagging it at the time of this writing.

The phishing email itself spoofs the targeted organization’s IT department, and the language used is sufficiently informal (as well as a little technical and even awkward) to appear credible.

As a result, some users just might fall for it — especially those working in organizations that occasionally ask employees to perform routine IT tasks (e.g., applying updates, updating AV definitions, etc.).

Now is the time to warn your users and ensure that they know how to distinguish actual, legitimate email notifications sent by your IT Department or Help Desk from malicious impostors like this latest phish. Link and screenshot at the Blog:
Scam Of The Week: See Jeffrey Epstein Last Words On Video

This weekend, news broke that Jeffrey Epstein was found dead in his cell, apparently a suicide. This is a celebrity death that the bad guys are going to be exploiting in a variety of ways because almost all the ingredients for high-click-rates are there: Celebrities, Money, Mystery, and conspiracy theories. You have to warn your users right away that a series of scams are underway using the Epstein death as social engineering tactic.

Whatever ruse is being used, your users will wind up with either infected workstations at the house or in the office, giving out personal information or get scammed some other way. Give them another heads-up that they need to Think Before They Click related to this topic.

I would send your employees, friends and family something like the following. Feel free to copy/paste/edit.
"This weekend, news broke that Jeffrey Epstein was found dead in his cell from an apparent suicide. Internet criminals are going to exploit this celebrity death in a number of ways, so be careful with anything on anything related to the Epstein death: emails, attachments, any social media (especially Facebook), texts on your phone, anything. There will be a number of scams related to this, so Think Before You Click!
For KnowBe4 Customers, there are two new templates in the Current Events campaign that I suggest you send to everyone more or less immediately.
  • FOX News: Epstein Death Not a Suicide
  • NBC News: Last Words: Jeffrey Epstein Suicide Confession
if you are not a KnowBe4 customer yet, at times like this, it is very good to know what percentage of your users are vulnerable to emotional manipulations like this.
See Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us, TOMORROW, Wednesday August 14 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 27,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday August 14 @ 2:00 pm (ET)
Ransomware Attacks on Businesses up 365% This Year

A new report by Malwarebytes confirms the resurgence of ransomware campaigns targeting companies. While various reports released in the first half of last year projected the decline of file-encrypting malware, threat actors have since then launched countless targeted campaigns.

The malware is delivered through spear phishing emails and locks up valuable data assets, demanding a ransom to release them. While ransomware made headlines a few years back as a consumer problem, it was sidelined as other attacks became more popular among cybercriminals. But this year, the threat has come back to life, switching from mass consumer campaigns to highly-targeted attacks on businesses that will give cybercriminals a bigger bang for their buck, according to the report.

Business detections of ransomware rose 365% from Q2 2018 to Q2 2019, the report found, while consumer detection decreased by 12%. Story continues at TechRepublic:
How to Prevent 81% of Phishing Attacks From Sailing Right Into Your Inbox With DMARC

Only ~20% of companies use DMARC, SPF, and DKIM, global anti-domain-spoofing standards, which could significantly cut down on phishing attacks. But even when they are enabled and your domain is more secure, 81% of phishing attacks still continue to sail right through to the end-user.

In this webinar, Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will teach you how to enable DMARC, SPF, DKIM the right way! Then, learn the six reasons why phishing still might get through to your inbox and what you can do to maximize your defenses.

What you’ll learn:
  • How to enable DMARC, SPF, and DKIM
  • Common configuration mistakes
  • How to best configure DMARC and other defenses to fight phishing
  • Techniques to empower your users to identify and avoid phishing attempts that make it through your surface-level defense
Date/Time: Thursday, August 22 @ 2:00 pm (ET)

Save My Spot!
Confirm Your Unsubscribe Request? Not so Fast!

An email phishing campaign that BleepingComputer describes as “long-running” has shown a distinct uptick recently. The phishbait in the subject line will read something like this: "Confirm your unsubscribe request," or this: "Client #980920318 To_STOP_Receiving These Emails From Us Hit reply And Let Us Know.”

There is no mention of exactly what it is that you may have asked to have your subscription removed, but they really do want to hear from you.

The best course of action, should you receive one of these emails, is simply to delete it as you would any other spam. Should you be so incautious as to click on the “unsubscribe” link or button the email offers, you will find that doing so composes an email message with no body text and the word “Unsubscribe” as the subject. It will be addressed to some fifteen-to-twenty recipients.

Why would the criminals want to do this? They are in all likelihood harvesting live email addresses, and live email addresses from polite people who are likely to open and act on other email messages they receive. Such lists can be used in other, more lucrative scams. They can also be sold on the black market to other criminals. In this case, unsubscribing will draw more spam, not less. More:
Identify and Respond to Email Threats Faster With PhishER - Plus, Get a first look at PhishML

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic... can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us, Tuesday, August 27 @ 2:00 pm (ET), for a live 30-minute demo of the PhishER platform and a first look at PhishML, a new machine-learning module now available in the PhishER platform.

With PhishER you can:
  • *NEW* Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s new machine-learning module
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team.

Date/Time: Tuesday, August 27 @ 2:00 pm (ET)

Save My Spot!
[Black Hat] Warmly Recommended Book of the Month: "The Fifth Domain"

I flew to Black Hat this week and spent a few days in Vegas at the show. In the plane I had some reading time and got well into "The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats" by Richard A. Clarke and Robert K. Knake.

It's an excellent book that describes the current threats we are defending against. This link brings you to a highlighted section which is very relevant related to the upcoming elections and where our systems fall down:

And here are some interesting topics and headlines I found during Black Hat, there are some doozies!:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Do something wonderful, people may imitate it." - Albert Schweitzer, Humanitarian

"Be yourself, because an original is worth more than a copy." - Suzy Kassem, Author

Thanks for reading CyberheistNews
Security News
Varieties of Extortion Experience

We are all familiar with ransomware and its increasingly dangerous cousin, wiper malware. The first encrypts your files and demands ransom payments in exchange for the decryption key. The second, now being mixed with ransomware proper, is more destructive. As its name implies, it wipes files, deletes them permanently.

Sometimes it may be used as a threat to increase the pressure on the victim to pay. At other times it masquerades as ransomware, but even if you pay, you will not get your files back.

These represent serious threats, best handled with awareness and a rigorous program of regular, secure backup. But there are other kinds of extortion, and these are more easily handled. Recognize them for the scams they are and simply delete them.

We have written about various instances of these over the years, but now BleepingComputer has compiled a rundown of the more common varieties of scareware.

They work only on people whose jittery nerves or uneasy consciences lead them to panic, and then pay. Some of these phishing emails carried ransomware or information stealers as a kind of secondary payload, but the primary threat was all so much hot air. The scams are listed at the KnowBe4 blog, because sending them would trap this email in your filters:
Pleading Guilty to Business Email Compromise

Amil Hassan Raage has taken a guilty plea to charges of fraud in a business email compromise case that netted him and his criminal co-conspirators almost a quarter of a million dollars in twenty-eight payments. According to the story in Infosec Magazine, Raage induced a university to divert payments to an account he controlled over the course of slightly more than a month, from August 8th to September 12th of 2018.

On July 23rd, 2018, the University of California San Diego (UCSD) received a spearphishing email that spoofed a Dell account, instructing the University to send its payments for Dell equipment and services to a Wells Fargo account in Minnesota that Raage controlled. The email itself had been sent by one of Raage’s criminal associates in Kenya. UCSD complied, for awhile, making twenty-eight wire transfers totaling $749,158.37 to the account Raage’s colleagues had given them.

Immediately after the deposits were made, Raage either withdrew the money or transferred it to another account. Continued at the KnowBe4 blog:
Why School Districts Are Targets of Social Engineering

School districts are becoming increasingly popular targets for ransomware, with at least five of these attacks occurring in July, according to the New York Times.

The Governor of Louisiana declared a state of emergency on July 24th after three of its school districts fell victim to ransomware. Christina Stephens, a spokeswoman for the governor, told the Times that the three attacks shared similar characteristics.

She added that the state is working to recover from the attacks before the beginning of the school year in early August. “We’re operating as we would in any national disaster,” Stephens said. “We’re using the same kind of hierarchy that we use during hurricanes.”

Likewise, the school district of Syracuse, New York, was hit by ransomware on July 8th. The district said that its insurance provider would cover the cost, but the district will pay a $50,000 deductible. It’s not clear if the district decided to pay the ransom or not.

Another attack hit the Houston County School District in southeastern Alabama sometime in July, which forced the district to postpone the first day of school for two weeks. Superintendent David Sewell said that the computers still probably won’t be ready in time, so teachers will most likely be using pen and paper to take roll.

Keith R. Krueger, the CEO of the Consortium for School Networking told the Times that IT staff at primary and secondary schools are now ranking ransomware as their top fear. Dr. Eva Vincze from George Washington University said that schools are an easy target because they often can’t afford sophisticated defenses. Continued at the KnowBe4 blog:
[Krebs on Security] iNSYNQ Ransom Attack Began With Phishing Email

A ransomware outbreak that hit QuickBooks cloud hosting firm iNSYNQ in mid-July appears to have started with an email phishing attack that snared an employee working in sales for the company, KrebsOnSecurity has learned. It also looks like the intruders spent roughly ten days rooting around iNSYNQ's internal network to properly stage things before unleashing the ransomware. iNSYNQ ultimately declined to pay the ransom demand, and it is still working to completely restore customer access to files. More at:
KnowBe4 Fresh Content & Features Updates - July 2019

Localized Learner Experience We are excited to announce the availability of KnowBe4’s new localized training interface option for your users! Currently available in 15 local languages, your users now can choose the language they're most comfortable with for their entire training interface, helping deliver a more immersive training experience.

[New PhishER Feature] Identify Email Threats Even Faster With PhishML I'm very happy to announce the availability of PhishML™ as part of the PhishER platform to all PhishER customers. PhishML is a new machine-learning module that helps you identify and assess the suspicious messages that are reported by your users, at the beginning of your message prioritization process. PhishML analyzes every message coming into the PhishER platform and gives you the info to make your prioritization process easier, faster, and more accurate.

And there are LOTS of training content updates. You can find them all here:
The 10 Interesting News Items This Week
    1. Exclusive: Critical U.S. Election Systems Have Been Left Exposed Online Despite Official Denials:

    2. I was interviewed about this risk of election systems left online by ABC Action News:

    3. Black Hat 2019: Security Culture Is Everyone's Culture:

    4. Black Hat 2019: How uncertainty in the cyber domain changes war:

    5. Google explains why phishing scams are still depressingly effective.

    6. Smishing and vishing: How these cyber attacks work and how to prevent them

    7. Scammers increasingly hide behind legitimate company websites to spawn phishing mails

    8. Ransomware attacks are getting more ambitious as crooks target shared files:

    9. Forward this WSJ article to your C-level Execs: "Putin Plays Judo, Not Chess":

    10. State-Sponsored Chinese Hacking Group Targeting Crypto Firms: Report:

    11. BONUS: Cybersecurity Pros Name Their Price as Hacker Attacks Swell:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews