CyberheistNews Vol 9 #4 It Only Takes 1 Phish: Wichita State University Employees Get Fooled Into Losing Their Paychecks

CyberheistNews Vol 9 #04
It Only Takes 1 Phish: Wichita State University Employees Get Fooled Into Losing Their Paychecks

Three employees of the university fell prey to a common scam asking for their credentials, giving cybercriminals access to change banking details.

We’ve said it time and time again: the bad guys do their homework. In the case of the attack on WSU employees, cybercriminals spoofed the university’s payroll system and sent emails to employees tricking them into providing their university ID and password. That was all the attackers needed to gain full control to the employee’s profile, personal data, and most importantly – banking information.

It wasn’t until a number of employees did not receive their paychecks that the scam was found out. At least three members of the WSU staff fell for the scam, allowing cybercriminals to alter the employee’s personal banking details which caused paycheck payments to be routed to the criminals’ bank.

The university implied that they would make the employee whole, despite not being responsible for the attack, but indicated that they would not be able to do so in the future should it happen again.

Cybercriminals are in the business of ensuring their efforts pay off. It’s the primary reason they target specific industries, businesses, and even people. The more context they can gather (e.g., the payroll system used specifically by WSU), the higher the chances of successfully fooling an employee into taking the bait.

Organizations need to keep employees on their toes with security top of mind to avoid incidents like this. When users step through security awareness training, they are taught about the attacks methods used, and to be suspicious of anything that seems out of the ordinary, scrutinizing email, web pages, and even phone calls – all to make sure your organization is protected against successful attacks.

There are several more items further down with similar incidents, the bad guys have moved toward "payroll attacks" in a big way.
Proposed N.C. Bill Would Require Ransomware Disclosures

North Carolina Attorney General Josh Stein released a report on Thursday that highlights the impact of data breaches on the state in 2018, and paired the report with a bipartisan bill to strengthen breach notifications to include ransomware attacks.

Stein, a Democrat, and N.C. House Rep. Jason Saine, a Republican, introduced a bill to expand the definition of breach to include ransomware attacks, and to tighten breach notification rules. Under the new bill, organizations would have to report ransomware attacks to affected individuals and the state attorney general’s office within 30 days.

The bill also would require businesses that own or license personal information to have “reasonable security procedure and practices.”

On the consumer side, the bill reduces the notification window for breaches to 30 days, allows people to freeze their credit cards for free, monitor their credit for free for four years if a consumer reporting agency like Equifax suffers a breach, and requires companies to obtain consent when seeking credit scores.

Diving into the details, nearly 45 percent of breaches were the result of hacking, while 26 percent were attributed to phishing, and 17 percent to accidental release. Hacking saw a decline from 2017, while phishing saw the most growth among categories, growing by 11 percent. Continued:
[Live Webinar] The Real World: New-School Security Awareness Training... From the Trenches

This is the true story of an IT Manager who was tired of his users clicking on everything and wanted to teach them a lesson… in a good way. Find out what happens, when you stop being polite, and start getting real. New-school security awareness training!

In this "From the Trenches" event, we’ll talk with Tory Dombrowski, IT Manager at Takeform and KnowBe4 customer, about his experiences and lessons learned while designing and delivering a security awareness training plan for his users.

Erich Kron, KnowBe4's Security Awareness Advocate, and Tory will dive deep to share best practices and creative ideas, so you know what to expect when executing your own program.

In this webinar you'll learn:
  • Why it's so important to empower your users to become a "human firewall"
  • What it's really like to get executive buy-in and implement security awareness training and simulated phishing
  • The good, the bad and the truly hilarious results of training and testing your users
Join us on Tuesday, January 29th @ 1:00 pm ET to get the real story from this KnowBe4 customer!

Save My Spot:
Violence, Drugs and... Cyberattacks Worry HR in 2019

Sometimes, IT and HR are at odds with each other for various reasons. Here is a great way to get alignment between these two groups: Cyberattacks.

The Society for Human Resource Management (SHRM) just released a report that showed the things that keep HR people up at night, and there is some interesting overlap: workplace violence, marijuana use, data security, leave laws and workforce planning are among the most difficult challenges for employers this year.

Here is an article with experts who weigh in with tips and strategies on how to respond to and prepare for these challenges. Yours truly is quoted:
Find Out if Any of Your Users Are Exposed in This Brand New Humongous Data Breach

Troy Hunt, the site admin of Have I Been Pwned (HIBP) just released some disconcerting news. A new data breach of humongous proportions has just been made public, we are talking astronomical numbers. He has called this data set "Collection#1" and it consists of:
  • email addresses and passwords totaling 2,692,818,238 rows
  • 1,160,253,228 unique combinations of email addresses and passwords
  • unique email addresses totaled 772,904,991
  • there are 21,222,975 unique passwords (that's too many reused passwords!)
Troy has loaded all this information in Have I Been Pwned and there is lots more detail about this new breach over at Troy's Blog. The database seems to have been put together for credential-stuffing attacks, in which hackers rapidly test email and password combinations at a given site or service. This is typically a fully automated process which preys especially on people who reuse passwords across multiple sites on the internet.

Investigative reported Brian Krebs remarked that this seems to be a compilation of well over 2,000 breaches and that most data is a few years old. He also commented that other and more recent "collections" were available too.

How Serious Is This?

WIRED called it: "Pretty darn serious! While it doesn't appear to include more sensitive information, like credit card or Social Security numbers, Collection #1 is historic for scale alone. A few elements also make it especially unnerving:
  1. Around 140 million email accounts and over 10 million unique passwords in Collection #1 are new to Hunt’s database, meaning they’re not just duplicates from prior megabreaches.
  2. Then there’s the way in which those passwords are saved in Collection #1, these are all plain text passwords.
  3. And lastly, Hunt also notes that all of these records were sitting not in some dark web backwater, but on one of the most popular cloud storage sites—until it got taken down—and then on a public hacking site. They weren’t even for sale; they were just available for anyone to take."
Find out if any of your users are exposed in this brand-new humongous data breach.

KnowBe4’s Password Exposure Test (PET) is a brand-new and complimentary IT security tool that allows you to run an in-depth analysis of your organization’s hidden exposure risk associated with your users. It has a link to the HIBP site and will check for all the compromised data above.

PET makes it easy for you to identify users with exposed emails publicly available on the web, and checks your Active Directory to see if they are using weak or compromised passwords that are part of a known data breach. PET then reports on any user accounts affected so you can take action immediately!

With Password Exposure Test you can:
  • Search and identify any of your users with exposed emails, account information, or passwords available on the web
  • Quickly isolate password security vulnerabilities and easily identify high risk passwords being reused within your organization
  • Generate a detailed report on user accounts affected. You can download the summary report as a PDF or Excel file directly within the tool
Get your results in a few minutes! You are probably not going to like what you see. Download Now:
[LIVE DEMO] See This New Phishing Threat Response Product PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic... can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a new product that's a huge time-saver for your Incident Response team. See how you can best manage your user-reported messages.

Join us, Wednesday, January 23, 2019, at 2:00 pm (ET), for a live 30-minute demo of the new PhishER platform. With PhishER you can:
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER to your incident response efforts can help you identify and respond to email threats faster!

Date/Time: Wednesday, January 23, at 2:00pm (ET)
Get the Unique "2019 Security Threats and Trends" Survey Results First!

Once a year, KnowBe4 runs its Security Threats and Trends Survey. We’re polling IT and Security executives, administrators and professionals like yourself on what technology and business issues you consider your organization's biggest security threats and challenges over the next 12 months.

It will take you 5 minutes tops. As a reward, you get the results first, and will allow you to compare yourself with your peers. It's multiple choice with one essay question. ALL responses are confidential.

Anyone who completes the survey and includes their Email address in the Essay question along with a comment gets a complimentary copy of the Executive Summary and the accompanying PowerPoint presentation of the survey results. The person who provides us with the best Essay comment will win a $100 Amazon gift card.

Here's the link to the new 2019 survey:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Every quarter, the KnowBe4 Technical Content team creates an update of all the new content and features that have been added the last three months. Here is the Jan 2019 10-min video, which covers a wealth of cool new stuff that was added to your platform!

PPS: Want your kids to stay safe online? Here's a fun, no-cost interactive cybersecurity activity kit for children, introducing Captain Awareness:
Quotes of the Week
"One of the sanest, surest, and most generous joys of life comes from being happy over the good fortune of others." - Robert A. Heinlein, Sci-Fi Author (1907 - 1988)

"The supreme irony of life is that hardly anyone gets out of it alive."
- Robert A. Heinlein, Sci-Fi Author (1907 - 1988)

Thanks for reading CyberheistNews
Security News
Criminals Steal €97,000 From Irish Law Firm After Intercepting Email

A Dublin law firm lost €97,000 when criminals changed bank details in an intercepted email, according to the Law Society of Ireland. The firm was acting to redeem a mortgage when the email was intercepted. The attacker changed the account information to point to a fraudulent account in an Ulster Bank branch. The money was transferred to this account, and it has since been withdrawn.

This attack followed another attempt in which an attacker intercepted an email and changed the details to those of a bank account in Turkey named “Bitcoin Concept.” This email was identified as fraudulent, and the firm contacted the legitimate account holder to obtain the correct bank details.

An alert on the Law Society’s website states that “both external and internal emails have been intercepted and the details amended” in these attacks, and advises legal professionals to ensure that they verify financial details contained in emails before approving money transfers.

“Members of the profession are advised that as far as possible, they should not rely upon bank account details received in an email,” the Law Society states. “However, in cases where this is done, it is imperative that the individual transferring the money is the person verifying the account details.”

The Law Society also says that you shouldn’t use a phone number in an email to verify the email’s authenticity. If an email is fraudulent, then the phone number is almost certainly fake as well. You should instead obtain the number from a separate source, such as the Law Directory or a legitimate company website.

New-school security awareness training can teach employees to be suspicious of email communication, especially when it involves financial information. The Independent has the story:
BenefitMall Hit by Months-Long Data Breach

The Dallas-based payroll firm BenefitMall announced on January 4 that nearly 112,000 customers may have had their personal information exposed during a four-month long data breach. The breach was discovered on October 11, when the company realized that several internal email accounts had been compromised by phishing attacks.

The company brought in a third-party forensics team, which found that the initial compromise occurred in June 2018. The attacker gained access to additional accounts in the months that followed.

In a press release, BenefitMall stated that the “emails in the affected mailboxes may have included consumers' names, addresses, Social Security numbers, dates of birth, bank account numbers, and information relating to payment of insurance premiums.”

The company didn’t explain why it took so long to notify customers after the breach was discovered, but says it’s working with law enforcement to investigate the incident.

BenefitMall stated that it’s put new security measures in place, such as two-factor authentication, to protect its email accounts from future attacks. The company is also committing itself to ongoing education and training programs to help its employees recognize phishing emails.

While these are steps in the right direction, organizations should implement these measures before they experience a data breach. New-school security awareness training can help your employees identify and report phishing attempts when they occur. HealthITSecurity has the story:
More BEC Attacks Are Targeting Executives’ Payrolls

There’s been an increase in business email compromise (BEC) scams targeting HR employees, according to James Linton at Agari. Scammers are impersonating high-ranking employees at companies and attempting to have these employees’ paychecks diverted into an attacker-controlled bank account.

In order to do this, they first gather information on employees at the company so that they know who to target and who to impersonate. The impersonated individual is usually the CEO or another executive at the company.

Next, the scammer sets up an email account that spoofs the name of this executive, and sends an email to an employee who is responsible for the company’s payroll services. This email contains some excuse for why the impersonated executive needs to change his or her direct deposit details.

Linton says that the attacker will then continue to use social engineering tactics until the target approves the request.

“From this point, the threat actor will be thinking on their feet to a certain extent; their main aim is to avoid being directed to any online third-party HR solution that would require access details they do not possess,” writes Linton. “Knowing this, any attempts to add undue urgency or absolve themselves of the ability to complete the usual process should immediately trigger a red flag.

It should also be noted that the threat actors are not phased by being asked to provide a voided check displaying the new accounts details, and have successfully provided these when requested of them.”

Linton recommends that all organizations “evaluate their current processes for updating payroll details.” A multi-factor system should always be implemented wherever possible. If this isn’t available, organizations should have a process which ensures that “an element of human contact is established before completion of the request.”

Employees should be taught that email, by itself, is not a verifiable form of communication. They should always confirm the legitimacy of important requests made via email. Agari has the story:
Training Is the Key to a Culture of Security - Part II

Here’s a follow-up to an earlier post of ours, with amplification of points well-worth making.

Trained employees are a central component of an organization’s security posture, according to Freaky Clown (FC), CEO and Head of Ethical Security at Cygenta.

FC is a professional red teamer who tests the security of organizations by breaking into them. FC talked to Carole Theriault in part two of an interview on the CyberWire’s Hacking Humans podcast.

FC says that managers are often surprised by how far he can get without being caught, because employees don’t know to watch out for threats. He describes a number of unusual situations in which he has convinced employees to participate in strange activities, such as building teepees with their coats as a team building exercise, or setting up a bar in a government building.

“You can genuinely just confuse people enough to think that they should be helping you,” he says. FC explains that just one employee who knows what an attack looks like can make the difference between a thwarted attempt and a devastating cyberattack:

“If you see some of the massive cyberattacks that we've seen recently - like, you know, sort of a billion pounds tried to be stolen from the SWIFT network - that was stopped by one analyst. And we're seeing things like that all the time. Even some of our clients who have had massive spear-phishing attacks, like you know, CEO fraud, that was stopped because one person was like, 'that's odd'.

That doesn't sound like the way that Jeff would write an email. They understand it. If they know what can be done and how it would be done, then they're in a much better position to stop it before any technology can even get in.”

He adds that companies that feel overwhelmed by the task of security education should bring in professionals to make the job easier: “Whatever your role is as a company, you're doing that. You can't be expected to understand all of the security threats. So that's where a security company comes in and goes, OK, look. We understand how criminals are working because we see this day to day.

We understand how the criminal organizations are working. We understand how nation-state attackers are working. So what is your threat level? Try to build up on that.” There’s no reason to waste time on PowerPoint slides and corporate videos when a security company can give your employees a better education on the most relevant threats.

New-school security awareness training can be a crucial asset for organizations that want to maximize their security. “Having a great security culture in a company is your best asset,” says FC. “It really is. People always say, like, humans are the weakest link. No, they're the weakest link until you train them. And then they are your strongest link.” The CyberWire has the story:
What KnowBe4 Customers Say

"Stu, we’re happy with KnowBe4 so far! We’ve been impressed with the features available and we feel like it’s a really good value for the price. It is helping us meet our customers’ requests that we implement a security awareness training program for our employees, and I think it really has caused our employees to think more about their role in protecting against security threats. Thank you for checking in on us, KnowBe4 really does seem to care about their customers!"
- H.M., Sr. IT Systems Engineer

"Stu, thanks for reaching out! So far the experience from KnowBe4 has been everything I hoped for, and then some! Brandie Leffler was assigned as our Customer Success Manger. She was instrumental in developing our first phishing campaign and reviewing the results. We implemented our training campaign based on the phishing results and are working towards a solid cybersecurity awareness baseline for all employees.

"My only regret is that I didn’t push for this service sooner. I’ve been extremely pleased with the depth of training material available and how quickly the employees were able to complete training modules on their own with very little guidance or instruction. The intuitive nature of the platform is making my job easier, especially as I revamp our training program to align with NIST CSF standards. In that respect, Brandie deserves recognition. She helped me pick out modules based on regulator needs versus my desires to shore up internal knowledge and habits.

"I look forward the end of the year, where I’ll be able to assess the company’s growth and improve with KnowBe4’s product line. Please let me know if I can provide any additional comments or feedback. Once again, thanks for reaching out!""
G.I., Network Administrator

P.S. If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
The 10 Interesting News Items This Week
    1. DNC Says Russia Sent Spear Phishing Attacks After 2018 Midterms:

    2. How to protect backups from ransomware:

    3. Dirt-Cheap, Legit, Windows Software: Pick Two:

    4. Government Shutdown’s Negative Impact on Federal Cybersecurity:

    5. Singapore suffers 'most serious' data breach, affecting 1.5M healthcare patients including Prime Minister:

    6. 43% of businesses are still running Windows 7 on some machines; security threats remain:

    7. I can get and crack your password hashes from email:

    8. 91% of cybersecurity pros fear hackers will use AI to attack their company:

    9. North Korean Hackers Gain Access to Chilean ATMs Through Skype:

    10. Cryptomining Malware Uninstalls Cloud Security Products:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • Protect Your Car From A High-Tech Hack Using The Old RFID Relay Hack. A tin foil hat for your car keys supposedly hampers the signal. LOL:

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews