CyberheistNews Vol 9 #38 [Heads-Up] Holy SIMoly! SIM Card Attack Used to Spy on Mobile Phone Users

CyberheistNews Vol 9 #38
[Heads-Up] Holy SIMoly! SIM Card Attack Used to Spy on Mobile Phone Users

Researchers at AdaptiveMobile Security, a firm that specializes in cyber telecoms security, have disclosed a new SIM card attack method that could work against over 1 billion mobile phones, and they claim it has already been exploited by a surveillance company to track users.

Dubbed Simjacker, the attack involves sending a specially crafted SMS message to the targeted phone. The message contains SIM Toolkit (STK) instructions and it’s processed by the SIM card (the universal integrated circuit card, or UICC), specifically the S@T Browser present on the SIM.

An attacker could use this method to send a wide range of STK commands to the targeted device, including for playing a tone, sending SMS messages, making phone calls, collecting information about the device (location, IMEI, battery, language), launching a web browser, powering off the card, requesting geographical location, and exfiltrating data.

These commands can allow the attacker to track a user’s location, send arbitrary messages on a victim’s behalf (including to premium-rate numbers for fraud purposes), spy on users, deliver malware by instructing the device’s web browser to access a malicious website, and cause a denial-of-service (DoS) condition.

The GSM Association, a trade body of mobile network operators, said it had sent out recommendations to carriers for identifying and patching the vulnerability.

Doesn't sound like a whole lot one can do about this other than bearing in mind that a SIM card is a necessary condition to carry out an attack. If you are an at-risk individual (e.g. journalist, spy, human rights activist, CEO, politician, etc.) there are some things you can do.

Blog post with some mitigation suggestions and link to SecurityWeek:
[Brand New Webinar] Setting the Trap: Crafty Ways the Bad Guys Use Pretexting to Own Your Network featuring Kevin Mitnick

Today’s phishing attacks have evolved way beyond spray-and-pray emails that mass target victims. Instead, the bad guys have carefully researched your organization in order to set the perfect trap. And pretexting is the key.

Whether it’s a phone call from an attacker impersonating your IT department or what seems like an innocuous email that ends up harvesting important credentials, the perfect pretext can lead to the bad guys owning your network before you know it.

Join us TOMORROW, Wednesday, September 18th @ 2:00 pm ET for this exclusive webinar where Kevin Mitnick, the World's Most Famous Hacker and KnowBe4's Chief Hacking Officer, and Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, will show you how the bad guys craft such cunning attacks. They'll dig into tactics for reconnaissance, target selection, creating a pretext, and launching an attack. And more importantly, they will tell you what you need to know to protect your organization.

Kevin will also share new demonstration videos that will blow your mind. This is one webinar you can't afford to miss!

Date/Time: TOMORROW, Wednesday, September 18th @ 2:00 pm ET

Save My Spot!
The FBI Updates Their Numbers and CEO Fraud Is Now a 26 Billion Dollar Scam

FBI's Internet Crime Complaint Center (IC3) says that Business Email Compromise scams—aka CEO fraud—are continuing to grow every year, with a 100% increase in the identified global exposed losses between May 2018 and July 2019.

Also, between June 2016 and July 2019, IC3 received victim complaints regarding 166,349 domestic and international incidents, with a total exposed dollar loss of over $26 billion. "One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information or Wage and Tax Statement (W-2) forms," adds IC3.

The Scam Behind Losses Worth Billions

Even though the number of BEC scams has also grown, the heightened awareness regarding this type of fraud scheme has also contributed to more reports coming from victims from all over the world which also added to the increased exposed losses reported for the last twelve months.

BEC scams have been reported throughout all U.S. States and in 177 countries around the world according to IC3, with scam-related transfers having been sent to banks from roughly 140 countries.

While accounts from banks from China and Hong Kong were the recipients of the largest share of fraudulent transfers, the FBI has also observed "an increase of fraudulent transfers sent to the United Kingdom, Mexico, and Turkey."

Defensive Measures Against BEC Scams

IC3 provides the following guidelines for employees containing both reactive measures and preventative strategies:
  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying login credentials or PII in response to any emails.
  • Monitor their personal financial accounts on a regular basis for irregularities, such as missing deposits.
  • Keep all software patches on and all systems updated.
  • Verify the email address used to send emails, especially when using a mobile or handheld device by ensuring the senders address email address appears to match who it is coming from.
  • Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.
In addition, to make sure that their employees will not fall victims to BEC attacks, companies have to implement strict vendor processes to check and authenticate payment info changes via multiple types of methods. And as always, many of the above bullets can be achieved by new-school security awareness training.
Identify and Respond to Email Threats Faster With PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic... can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us Wednesday, September 25 at 2:00 pm (ET), for a live 30-minute demo of the PhishER platform and see PhishML, a new machine-learning module now available in the PhishER platform.

With PhishER you can:
  • *NEW* Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s new machine-learning module
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team.

Date/Time: Wednesday, September 25 at 2:00 pm (ET)

Save My Spot!
Cybersecurity: 99% of Email Attacks Rely on Victims Clicking Links

Danny Palmer at ZDNet had the scoop: "Social engineering is by far the biggest factor in malicious hacking campaigns, warn researchers – so how can it be stopped?"

"Nearly all successful email-based cyberattacks require the target to open files, click on links, or carry out some other action.

While a tiny fraction of attacks rely on exploit kits and known software vulnerabilities to compromise systems, the vast majority of campaigns, 99%, require some level of human input to execute. These interactions can also enable macros, so malicious code can be run.

Sometimes it seems easy to blame users for falling victim to phishing attacks, but campaigns are becoming increasingly sophisticated. It's often difficult to distinguish a malicious email from a regular one because attackers will tailor attacks to look as if they come from a trusted source, such as cloud service providers like Microsoft or Google, colleagues, or even the boss.

This social engineering is the key element in conducting campaigns: the Proofpoint report even states that attackers are mimicking the routines of businesses to ensure the best chance of success.

For example, a user might be suspicious of an email claiming to come from a colleague that arrived in the middle of the night, but one which arrives in the middle of the working day is more likely to be treated as a legitimate email, with the potential for the victim to accidentally set the ball rolling for an attack.

Phishing is one of the cheapest, easiest cyberattacks for criminals to deploy – but the reason it remains a cornerstone of hacking campaigns is because, put simply, phishing works.

While many phishing attacks are designed to look highly legitimate, there are ways to identify what could potentially be a malicious attack.

For example, unexpected emails that are based around a sense of urgency could be viewed as suspicious. If a user is in doubt, they could contact the supposed sender of the message to see if it is a legitimate message.

It's also worth noting that cloud service providers like Microsoft and Google won't ask users to click through unexpected links to enter login credentials and other information. If a user is suspicious of a supposed login URL, they can bypass the link by going direct to the provider itself and entering their details there.

Organisations should also ensure that software updates and security patches are regularly applied, so in the case of someone accidentally clicking a link, malware that relies on known vulnerabilities can't operate."

We could not agree more. ZDNet has the full story:

Note: KnowBe4 has no affiliation with either ZDNet or Proofpoint
In the Hot Seat: Three Experts Tackle Ten Critical Security Awareness Issues

Three experts. Ten hot topics. Sixty minutes. What happens when you lock highly opinionated security awareness experts in a room with a microphone and a list of top security issues facing your organization? This is your chance to find out!

In this webinar, Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer, and, our guests, Forrester’s Jinan Budge and Claire O’Malley will provide practical advice and pithy comments as they take on a wide-ranging list of security awareness topics, behavior, and culture management issues in rapid-fire format.

Key topics will include:
  • The real cost of ignoring the human element
  • What can security awareness mean for your organization’s overall reputation?
  • Talking to your execs and the board about cybersecurity
  • How do you measure the benefit of awareness, behavior and culture change?
  • Security awareness & training content: Quality versus quantity
  • And many others!
Get the expert take! Find out how to empower your end users, measure success and help keep the bad guys out.

Date/Time: Thursday, September 26 @ 2:00 pm (ET)

Save My Spot!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: We were excited to hear that eSecurity Planet worked with Gartner and Cybersecurity Ventures to compile a ranking of the Top Cybersecurity Companies. Here is how they did their Top 15 listing, and check out where KnowBe4 ranks!
Quotes of the Week
"Our fascination with failure has led our attention astray. We’ve been so transfixed with studying failure in an effort to figure out how to improve performance that we’ve missed the obvious thing: To be excellent we should be studying excellence." - Marcus Buckingham

"Our prime purpose in this life is to help others. And if you can't help them, at least don't hurt them."
- Dalai Lama

Thanks for reading CyberheistNews
Security News
Phishing Nightmare? New "Deadline" Email From Equifax Settlement Administrator Notifies of Changes in Filing

You’d better check your email queue for a new email from The Equifax Breach Settlement Administrator that was sent out several days ago to those who previously filed a claim. It will include your claim number prominently noted at the top. If you don’t read that email carefully and take action, you will be eliminated from the settlement entirely.

Someone finally realized the math didn’t work and that way too many people filed claims. There was only $31 million dollars allocated in the cash pool to split between the approximately 147 million people whose information was breached; and who also chose the $125 cash payout, or who may have out of pocket expenses incurred (up to $20,000) from an actual identity breach.

Since so many data breaches have occurred and so many people already offered credit monitoring, LOTS of people went for the cash payout. This new letter sure seems to be an effective way to narrow down the pool of claimants. You will need to verify or amend your claim on the official settlement site or be eliminated by the deadline, October 15, 2019.

If you don’t take action, your claim for alternative compensation will be denied according to the letter. Make sure the email comes from, the official email address of the settlement and be careful to go to the official Equifax settlement site and not a phishing site or evil twin.

Scammers could easily use social engineering tricks and take advantage of this urgency in a variety of ways. You can join in this discussion on our Hackbusters Forum. It’s our community for discussion of all things related to social engineering:
Nemty Ransomware Infests Bogus PayPal Site

BleepingComputer describes a PayPal phishing site that’s delivering a new strain of Nemty ransomware. The attackers used Unicode characters from different alphabets to make their URL look like PayPal’s legitimate domain.

The slickly designed web page offers users a 3-5% return on PayPal transactions if they download an official PayPal browser extension. Users who click the download button will receive a file named “cashback.exe.” Running this executable will infect the user’s system with the ransomware.

Nemty ransomware has been around for a while, but it began attracting attention last month. It was recently observed spreading via the RIG exploit kit, and it may have been going after exposed RDP connections. The PayPal phishing site suggests that Nemty’s operators are interested in using multiple channels of distribution.

Ransomware is a very profitable criminal enterprise and attackers have high incentive to improve their tactics. We need hardly mention how widely used PayPal is, both for personal and business transactions. Social engineering is the most reliable and effective way to get malware onto your network.

New-school security awareness training can help your employees defend themselves against these attacks and keep your organization safe. BleepingComputer has the story:
Social Media and Their Exploitation in Social Engineering

Phishing is most commonly associated with email, but social media are quickly becoming a major hunting grounds for scammers, according to Elliot Volkman from PhishLabs. Social media present many of the same problems faced by email, such as impersonation, credential theft, and various types of scams, but it also facilitates intelligence gathering for targeted attacks.

Additionally, attackers can interact with other accounts to confuse users, rather than being restricted to one-on-one conversations. “Because phishing is the malicious use of social engineering, impersonation plays a huge role in the success of an attack,” he explains.

“By posing as someone with any kind of authority, it’s easy to damage that person, the brand associated with them, and trick users into taking a specific action....One of the most common examples is that when a celebrity posts a Twitter, a threat actor replies to it, posing as that user, saying they are giving away free bitcoins. Hint: they aren’t.”

Volkman also points out that attackers shift their tactics as the market changes in order to target the largest number of potential victims. “Take for example your organization,” he says. “As a brand, there is a good chance there are set profiles on the largest networks; however, what about your users and employees?

The more prevalent and engaged a digital medium, the greater the likelihood that a threat actor will attempt to abuse it.” One of the benefits of the increased connectivity offered by social media is that users can band together to call out scams when they see them. All organizations can benefit from providing new-school security awareness training to help their employees better defend themselves against social engineering attacks. PhishLabs has the story:
"This Can’t Be Happening": One MSP’s Harrowing Ransomware Story

Cybersecurity guru Brian Krebs tells CRN that MSPs and cloud providers are being targeted because the bad actors have learned to count on them for weak, unpatched networks. ‘Who is vetting these providers? Who is asking if they’re doing things right? On a lot of occasions, they’re not.’

A California-based MSP was on a vacation, driving up the Pacific Northwest coast with his girlfriend when a customer called him with a problem that would end up consuming all his time off, and plunge him into the murky underworld of ransomware negotiation.

“He described what was going on and I said, ‘That sounds like you got hit by ransomware,’ ” said the MSP who asked to remain anonymous. “Then I had another customer call me … I was with my gal. I said ‘This can’t be happening.’ I’m on the phone driving to Oregon calling all of my customers and telling them to turn off their computers.”

The MSP is one of dozens nationwide that’s part of an expanding roster of solution providers whose networks and customers have fallen prey this year to ransomware. Whether via a phishing campaign against random sites, or using powerful ITSM tools in a targeted strike, hackers have picked up the pace of ransomware attacks in 2019, which has seen a five-fold increase in hits to government systems alone, according to the National Association of State Chief Information Officers. CRN has the story:
What KnowBe4 Customers Say

"Stu, I really appreciate you reaching out! KnowBe4 has given me so much more visibility into my organization, considering that most of our users are outside of our corporate office. We're definitely working on getting our users educated about phishing and scam attempts, and I think we're going to come out of this as a much more secure organization.

I actually just finished watching The Inside Man, and I was very impressed! It even gave me, a sysadmin, a lot to think about as far as our security policies. I'd love for our users to watch it too, but that'll be a tougher task.

Besides that, the sales experience and our customer success manager have been fantastic. We couldn't be happier as a KnowBe4 customer! Thanks so much!"
- P.J., Systems Administrator

"Hi Stu, Yes, we are very happy campers with the KnowBe4 service. The service & support we've had so far has been excellent! I've dealt with many vendors over the years, and I have to say the service is the best I've seen. Before we made the purchase, we were constantly hounded by the salesperson... which is pretty typical with vendors we've worked with trying to make a sale.

I was surprised to find the same level of enthusiasm after the sale, with your account management and support teams; which is definitely not typical. One example... we had an issue whitelisting KnowBe4 with our anti-virus software. The account manager was constantly checking in with me on our implementation, and I mentioned this issue to her. The next day I came into the office, I had an email and phone call from support; with detailed instructions on how to solve our problem.

I didn't expect her to open a support case for us, and figured we'd just have to figure it out on our end. I wish we could get the same level of support from other vendors! Our account manager is Diana Gilbert, and she has been outstanding to work with. Thanks for checking in!"
- P.C., IT Manager
The 10 Interesting News Items This Week
    1. Want to calculate how much a data breach would cost your own organization? The IBM data breach tool can help but you do need to register:

    2. "Researchers at the cybersecurity firm Symantec said they have found at least three cases of executives' voices being mimicked to swindle companies."

    3. Secret Service Investigates Breach at U.S. Govt IT Contractor:

    4. Dishing On Phishing: Are Your Employees Black Belt Cyber Defenders?:

    5. Why it’s time for the U.S. to start pushing back against Chinese information operations | WashPost

    6. FBI Cyber Warning: BEC Attacks On Key Employees Up 100%, As 281 Are Arrested:

    7. Security Leaders Share Tips for Boardroom Chats:

    8. The potential for a 'miscalculated' enemy cyberattack keeps me up at night, warns Pentagon cyber chief:

    9. Phishing attacks on Mac users doubling; here’s what to watch for:

    10. Report: Employees Trigger Most Industrial Network Cybersecurity Incidents:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • Kevin Mitnick puts a stack of hundred-dollar bills in a Paris Hotel safe. See what happens!:

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews