CyberheistNews Vol 9 #36 [Heads Up] AI Used for Social Engineering by Mimicking CEO’s Voice in Unusual Cybercrime Case

CyberheistNews Vol 9 #36
[Heads Up] AI Used for Social Engineering by Mimicking CEO’s Voice in Unusual Cybercrime Case

Catherine Stupp at the Wall Street Journal reported on something we have predicted would happen in this blog. The article started out with:

"Criminals used artificial intelligence-based software to impersonate a chief executive’s voice and demand a fraudulent transfer of €220,000 ($243,000) in March in what cybercrime experts described as an unusual case of artificial intelligence being used in hacking.

The CEO of a U.K.-based energy firm thought he was speaking on the phone with his boss, the chief executive of the firm’s German parent company, who asked him to send the funds to a Hungarian supplier. The caller said the request was urgent, directing the executive to pay within an hour, according to the company’s insurance firm, Euler Hermes Group SA. Euler Hermes declined to name the victim companies.

Law enforcement authorities and AI experts have predicted that criminals would use AI to automate cyberattacks. Whoever was behind this incident appears to have used AI-based software to successfully mimic the German executive’s voice by phone. The U.K. CEO recognized his boss’ slight German accent and the melody of his voice on the phone, said Rüdiger Kirsch, a fraud expert at Euler Hermes, a subsidiary of Munich-based financial services company Allianz SE."

This is essentially the next step up in the escalation of using social engineering in a case of CEO fraud. You need to step your employees through new-school security awareness training to prevent human errors like this. Blog post with link to WSJ article that you can forward to your C-suite:
See Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, September 11 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 27,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, September 11 @ 2:00 pm (ET)
Megacortex Ransomware Goes Fully Automated, Putting Enterprises at Risk of Ransoms in the Millions

A new version of MegaCortex has been spotted, upgrading it from a manual, targeted form of ransomware, to one that can be spread and do damage enterprise-wide.

What was once a ransomware variant that was only used post-exploitation as part of a targeted, manual attack requiring a password be entered by the cybercriminal, has now been re-released into the wild as a vastly improved version 2.0.

Completely automated, the latest version of MegaCortex has proven to be ready for wide-scale attacks, according to new research from Accenture’s iDefense team. Its need for manual password entry has been removed, it’s been beefed up with an ability to kill a number of security products, and now loads and runs its main payload directly from memory.

According to the research, ransoms demanded to date have ranged from approx. $20,000 to as much as $5.8 million, making this a tangible threat to small businesses and large enterprises alike.

Increase in Number of Megacortex Incidents if Delivered Through E-Mail

Noted by the researcher, it’s potentially expected to see “an increase in the number of MegaCortex incidents if the actors decide to start delivering it through e-mail campaigns.”

Organizations wanting to avoid this new version need to double efforts to protect email and user interactions with email. Email security solutions can assist in detecting malware-laden attachments and potentially malicious office documents. Security Awareness Training is best suited to advise the user on the need for being security-minded, and to educate them on how to identify suspicious email and web content that may be malicious in intent.

MegaCortex v2.0 sounds like it got some major upgrades and has an ability to do some real damage. Shoring up your security efforts is a prudent step to avoid this new version of ransomware. Blog post with links:
Get Your Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments is a continuous problem.

We listened! KCM now has Compliance, Risk, Policy and Vendor Risk Management modules, transforming KCM into a full SaaS GRC platform!

Join us, Tuesday, September 10 at 2:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements and ease your burden when it's time for risk assessments and audits.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Tuesday, September 10 at 2:00 PM (ET)

Save My Spot!
Ransomware Criminals Hack Dental Software Company and Take Hundreds of Customers' Systems Hostage

Hundreds of dental practice offices in the US have had their computers infected with ransomware this week, ZDNet has learned from a source.

The incident is another case of a ransomware gang compromising a software provider and using its product to deploy ransomware on customers' systems.

In this case, the software providers are The Digital Dental Record and PerCSoft, two Wisconsin-based companies who collaborated on DDS Safe, a medical records retention and backup solution advertised to dental practice offices in the US.

Weekend before last, a hacker group breached the infrastructure behind this software, and used it to deploy the REvil (Sodinokibi) ransomware on computers at hundreds of dentist offices across the US.

The security breach came to light the Monday after, when dentists returned to work, only to find out they couldn't access any patient information. OUCH.

Software supply chains are very much at risk. Here is a blog post that goes into more detail about this problem. KrebsOnSecurity has more detail as well:
[Brand New Webinar] "Setting the Trap: Crafty Ways the Bad Guys Use Pretexting to Own Your Network" featuring Kevin Mitnick

Today’s phishing attacks have evolved way beyond spray-and-pray emails that mass target victims. Instead, the bad guys have carefully researched your organization in order to set the perfect trap. And pretexting is the key.

Whether it’s a phone call from an attacker impersonating your IT department or what seems like an innocuous email that ends up harvesting important credentials, the perfect pretext can lead to the bad guys owning your network before you know it.

Join us Wednesday, September 18th @ 2:00 pm ET for this exclusive webinar where Kevin Mitnick, the World's Most Famous Hacker and KnowBe4's Chief Hacking Officer, and Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, will show you how the bad guys craft such cunning attacks. They'll dig into tactics for reconnaissance, target selection, creating a pretext, and launching an attack.

And more importantly, they will tell you what you need to know to protect your organization.

Kevin will also share new demonstration videos that will blow your mind.

This is one webinar you can't afford to miss!

Save My Spot:
'Culture Eats Policy for Breakfast': Rethinking Security Awareness Training

I was interviewed by Joan Goodchild for DARKReading about what's definitely not working with end-user cybersecurity awareness training, and what you can do about it.

The article started with: "Stu Sjouwerman has been focused on IT security for more than 30 years. The CEO and founder of KnowBe4, an awareness training provider, launched the company about a decade ago in response to what he saw as a serious gap in understanding about risk among end users.

Initially, as KnowBe4 created a customer base, many companies took on awareness training for compliance reasons. The legal landscape demanded security managers in some sectors to demonstrate they were at least offering awareness as part of overall strategy. But now their motivations have changed.

"The big movement, the sea change, has been from compliance to security," Sjouwerman says. "Imagine a Venn diagram. One circle is compliance. The other is actual security measures you need to take to make sure the bad guys don't come in. Awareness training has squarely moved from one circle to another."

Sjouwerman believes awareness training has finally arrived. More organizations see the value in it beyond checking a box, he says, and are investing accordingly.

"Over [the] last few years, awareness training has come into its own," he says. "CISOs understand there is no silver bullet in just software filters and that you really need to create a human firewall."

The whole article is here, and there's lots more good insights:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Over the past week we spotted something new and interesting in the malicious emails being reported to us by customers using the Phish Alert Button (PAB): a two-part phish in which users are hit with a sequence of two coordinated emails. The first email prepares users for the second, which contains a malicious link that usually leads to a credentials phish. More:
Quotes of the Week
"I worked hard. Anyone who works as hard as I did can achieve the same results."
- Johann Sebastian Bach, Musician & Composer (1685 - 1750)

"Life is really simple, but we insist on making it complicated."
- Confucius, Philosopher (551 - 479 BC)

Thanks for reading CyberheistNews
Security News
SIM Hijacking Allows Attackers to Reset Your Passwords

SIM hijacking is an attack that criminals can use to gain access to victims’ online accounts without interacting with the victims themselves, according to security researcher Ray [REDACTED].

On the CyberWire’s Hacking Human’s podcast, Ray explained that SIM hijacking is a social engineering attack in which a criminal impersonates a victim and convinces an employee at a mobile carrier to port the victim’s phone number to the attacker’s SIM card. Ray stressed that this is relatively easy to accomplish.

“If you think about the normal mechanism that somebody has lost their cell phone, it is a state of complete panic… because our lives are so connected to it,” he said. “That's a moment of desperation. And most people in contact centers are there to try to relieve that desperation.

So it is surprisingly easy to get a port done over the phone, or especially in person, with even the most minimal amount of identification.”

Once an attacker has control of a victim’s phone number, they’ll use it to reset the passwords to the victim’s online accounts. If they can hijack someone’s primary email account, they can reset any other passwords that depend exclusively on that email account, which often includes banking credentials.

“If I have access to your Gmail, I might have access to password resets for a ton of accounts, some of which you may not even know,” Ray explained. “And it's actually somewhat worse because a lot of people will use Chrome as their password manager. And if you have access to someone's master Gmail account or their master Google account, in some cases, you also have access to all of their Chrome passwords, as well.”

The primary social engineering element in SIM hijacking is targeted at the mobile carrier, rather than at the victims themselves; however, Ray says there are still steps you can take to mitigate the threat. You should take advantage of any optional security protections offered by your mobile provider, and you can add notes to your account specifying authentication requirements for a SIM port.

These can make it more difficult for an attacker, although they can still potentially be bypassed with social engineering. “At the end of the day, the real answer to preventing this type of an attack is to separate your primary password managers and your email accounts from simple SMS resets,” Ray said.

Most people don’t worry about SIM hijacking until it’s too late. New-school security awareness training can teach your employees to take measures to protect themselves before they fall victim to one of these attacks. The CyberWire has the story:
Personal OPSEC for High-Risk Employees

Social engineering attacks are growing increasingly targeted, and organizations need to place a higher focus on ensuring that the right employees receive the right kind of security training, according to CSO. In particular, executives and other high-risk employees should have personal OPSEC plans to keep them safe at all times.

Alex Hamerstone, Practice Lead for Governance, Risk Management, and Compliance at TrustedSec, told CSO that executives are valuable targets even when they’re not at work because their personal and professional lives overlap significantly.

“Too often, OPSEC plans only focus on work accounts and not the personal accounts that the executive or employee actually uses a lot of the time,” Hamerstone said. “The personal accounts can be an entry point into the work accounts in many ways, whether through password reuse or executives logging into enterprise services on their personal equipment.”

While executives are particularly at risk, employees at all levels of the organization can be singled out depending on what an attacker needs. Stephanie Carruthers, Chief People Hacker of IBM’s X-Force Red, told CSO that “who is targeted really comes down to what they have access to.” As a result, security training should be tailored to each role depending on the threats an employee is likely to face.

“High-risk employees should receive constant, additional training that’s geared specifically for them,” Carruthers said. “Everyone from the janitor to the CEO has a different threat model, so they need training relevant to their threat model.”

CSO provides a list of tips that organizations should follow in order to improve their employees’ OPSEC. These include requiring the use of 2FA and password managers, and establishing procedures for authenticating requests to prevent impersonation attacks. Employees should also be tested often with fake but realistic social engineering attacks. New-school security awareness training with phishing tests can provide your employees with up-to-date knowledge of threats and security best practices. CSO has the story:
Financial Phishing Campaigns on the Rise

More than 1900 new potential bank phishing sites were registered in the first half of 2019, according to researchers at NormShield. Based on the increase in new suspicious domains compared to the same period last year, the researchers predict there will be over 3,500 more active bank phishing domains by the end of 2019.

Not all of the sites are currently active, but their addresses are similar enough to URLs used by banks that NormShield concluded they were lying in wait to be used in future attacks.

The NormShield researchers found that the number of potential bank phishing domains that were certified by registrars has more than doubled compared to H1 2018. Additionally, the number of suspicious domains possessing a valid SSL or TLS certificate has risen to 15%, up from 8.5% last year.

The researchers say this trend was expected. “Every year, hackers improve their techniques and become more intelligent,” the report says. “It is no surprise to see the increase in the number of potential phishing domains with valid certificates.”

43% of the suspected phishing domains are targeting European banks. 31% are spoofing financial institutions in Asia, and 23% are going after banks in North America.

Sophisticated attackers plan their phishing campaigns far in advance to maximize their effectiveness, and their attacks are growing more convincing. Organizations around the world can benefit from new-school security awareness training to help their employees fend off these attacks. PR Newswire has the story:

Discover dangerous look-alike domains that could be used against you!

Want to see which domains are out there that bad guys use as a doppelganger for our own domain? Our NEW Domain Doppelgänger tool makes it easy for you to identify your potential "evil domain twins" and combines the search, discovery, reporting, risk indicators, and end-user assessment with training so you can take action now:
Microsoft, PayPal, and Facebook Are the Top Three Impersonated Brands

Back in June, we discussed Vade Secure’s “Phisher’s Favorite” report for Q1 2019, which found that Microsoft had been the most impersonated brand used in phishing attacks for four quarters in a row. Vade’s report for Q2 2019, just out, reveals that Microsoft has now held the lead for the fifth quarter straight. PayPal came in second, and Facebook rose to take #3.

Vade says there are two reasons why Microsoft has topped the list for the past five quarters. The first is the popularity of Office 365, particularly among enterprises. The number of phishing attacks targeting a particular brand naturally scales with how widespread that brand’s products are. The second reason is the value of Office 365 credentials.

Compromising one of these accounts grants an attacker access to SharePoint, OneDrive, Skype, and other services, as well as the organization’s Global Address List.

PayPal has long been a popular target for phishing attacks due to its status as the most popular online payment service in the world. Hacking someone’s PayPal account gives the attacker an immediate monetary payoff. Attacks impersonating PayPal are up 112% compared to Q2 2018.

The rise of phishbait mimicking Facebook and Amazon is perhaps the most significant finding of the report. Facebook phishing attacks had a year-over-year growth of 176%, overtaking Netflix for the #3 spot. The researchers suspect this is due to the growing adoption of Facebook’s single sign-on, which increases the value of a hacked Facebook account.

Meanwhile, Amazon rose fifteen spots to #8 on the list—a 411% increase year-over-year. The researchers observed a spike in May, probably due to a popular new phishing kit that targeted Amazon users. Vade also noted that Amazon phishing email subjects are more varied than those targeting other brands.

Scammers never stop churning out phishing emails, and they adapt their campaigns to focus on the most lucrative targets. New-school security awareness training can help your employees keep up with these trends so they know what to watch out for. Vade Secure has the story:
What KnowBe4 Customers Say

"Good morning Stu; after using your KnowBe4 service for over two months and having multiple interactions with Arthur, I felt compelled to express my satisfaction and thanks to you and your team. Arthur is a fantastic personality to deal with.

Arthur expresses interest and care when assisting me with the protection and training of my employees and my company. I felt you should know that hiring employees who put effort and care into every interaction is something that I value when looking for service. Thank you for doing a great job all around!"
- S.M., IT Support Manager

California Consumer Privacy Act (CCPA) Now In ModStore

Now live in the ModStore from TeachPrivacy: California Consumer Privacy Act (CCPA) This introductory course explains key rights and obligations under the CCPA. More details about the course and the excellent Subject Matter Expert Professor Daniel Solove:

New Template Watch

Student Loans are a major source of worry for people. We now have templates you can find by searching for Student Loan, they are in the Banking and Finance category:
  • Your Student Loan is Past Due
  • Student Loan Forgiveness: Act Now!
Also, after her fatal accident, there is a new Jessi Combs Email Template, Name:
  • The Drive: Jessi Combs Killed in 400-MPH Jet-Car Crash
Template Category: Controversial/NSFW*OFFENSIVE LANGUAGE*
The 10 11 Interesting News Items This Week
    1. Google's Project Zero has released details of its research into a quiet, sustained watering-hole campaign against Ughur iPhone users in China. The iPhone was fully pwned:

    2. Court squeezes $1 million back from convicted phisher, YES!

    3. New Hampshire Passes Insurance Data Security Law. Your state/country will be next:

    4. Ransomware threat raises National Guard's role in state cybersecurity:

    5. Wow. The City of London Is Hit by One Million Cyber-Attacks Per Month:

    6. White Unicorns, Cybersecurity’s Most Valuable Companies: Who Are They?:

    7. How China Uses LinkedIn to Recruit Spies Abroad:

    8. OUCH. Cybersecurity vendor Imperva suffers from a data breach — exposes client info:

    9. Top 10 Most Popular Cybersecurity Certifications In 2019:

    10. Why You Should Use Windows Defender's Ransomware Prevention:

    11. BONUS: Data breaches expected to cost $5 trillion by 2024:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Anti-Phishing Guide ebook

Get the latest about social engineering

Subscribe to CyberheistNews