CyberheistNews Vol 9 #47 The Bad Guys Have a New Favorite Online Service to Exploit (and It May Be One You Never Heard of)




CyberheistNews Vol 9 #47
The Bad Guys Have a New Favorite Online Service to Exploit (and It May Be One You Never Heard of)

Over the past few years malicious actors have apparently decided that the future of phishing lies in exploiting trusted online services. Your users have undoubtedly seen the upshot of that decision in their inboxes: an endless stream of malicious emails pushing links to malicious content hosted on services like Dropbox, Sharepoint/OneDrive, Box, Constant Contact, and Evernote -- to name just a few.

Now the bad guys have a new favorite online service to exploit: Microsoft Sway.

What is Sway?

Never heard of it? Or maybe you have heard the name but are still a bit fuzzy as to what it is? It's time to make introductions, because the bad guys are increasingly hip to Sway.

Released in 2015, Sway is an online service or productivity tool that you can think of as a cloud-based mash-up of Publisher, PowerPoint, and Frontpage. Indeed, Microsoft encourages its use for many of the same kinds of things as Publisher and PowerPoint, particularly online newsletters and short marketing presentations.

The Wikipedia page on Sway usefully summarizes it like this:

"Office Sway is a presentation program and is part of the Microsoft Office family of products. Sway was offered for general release by Microsoft in August 2015. It allows users who have a Microsoft account to combine text and media to create a presentable website. Users can pull content locally from the device in use, or from internet sources such as Bing, Facebook, OneDrive, and YouTube."

Best of all, though, "The program also provides native integration with other services, including YouTube, Facebook, Twitter, Mixcloud, and Infogram." Because what's the point of offering an exploitable online service to everyone with a Microsoft account if it doesn't integrate with social media and other online productivity tools?

During the last month or so customers using KnowBe4's free Phish Alert Button (PAB) have reported a rapidly rising number of phishing emails that leverage Microsoft Sway.

So far the bad guys have not yet fully exploited Sway's integration with other online services. (Give them time.) What they are doing, though, is skillfully deploying Sway to leverage the inherent trust that users place in Microsoft in order to trick them into clicking through to slick, convincing web pages that offer your employees an inviting opportunity to cough up their login credentials. Nice, huh?

Let's take a look at the screenshots on the KnowBe4 Blog:
https://blog.knowbe4.com/the-bad-guys-have-a-new-favorite-online-service-to-exploit-and-it-may-be-one-you-never-heard-of
[Live Demo TOMORROW] Identify and Respond to Email Threats Faster with PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, November 20 @ 2:00 pm (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s new machine-learning module
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s Phish Alert email add-in button, or forwarding to a mailbox works too...
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, November 20 @ 2:00 pm (ET)

Save My Spot:
https://event.on24.com/wcc/r/2116418/A4CA36B904A74080568A2965BB61D58B?partnerref=CHN2
How Can Your CEO's Email Be Hacked and You Don't Even Know About It?

Hackers focused on CEO fraud (or Business Email Compromise - BEC) attacks often go to great lengths to hide the fact they have access to your CEO’s mailbox as part of a larger scam.

BEC is a relatively commonplace attack with impressive success. Scammers often simply purport to be the CEO of a given organization and send one of the company employees a directive to wire money, purchase gift cards, and other financially-related activities that can benefit the scammer.

But, in some cases, hackers work to compromise email credentials – which isn’t difficult, given the easy access to Office 365 via the web; a quick scam, some social engineering, a realistic logon page, and voila! - scammers have their hands on email credentials.

But hackers are taking additional steps to ensure they operate in stealth; one great example is that of using messaging rules that focus on inbound messages from users that may be warning the hacked user of a potential breach.

A simple rule, shown on the blog, that looks for words of warning from colleagues, partners, and subordinates and deletes the email immediately can allow a hacker to retain their access to the CEO’s mailbox for an extended duration. This allows them time to understand where the opportunities lie; details about transactions, deals, individuals involved, etc. can all be used as part of a larger BEC scam. Here is how that works:
https://blog.knowbe4.com/your-ceos-email-may-be-hacked-and-you-dont-even-know-it
Third-Party Phishing: The New Spear-Phishing Attacks That Traditional Defenses Just Don’t Stop

Third-party phishing attacks look like legitimate emails from your vendors’ domains, traditional defenses often don't work against them or they are severely weakened. Your only defense is a strong human firewall. Find out how third-party phishing attacks operate, how you can spot them, and learn what defenses do and don't work against them.

Join Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, this week to see:
  • Real-world examples of third-party phishing schemes
  • Hacking techniques that make these targeted attacks even more dangerous
  • How to protect your network against these aggressive schemes
  • What to teach your end users so they can identify a third-party attack
Date/Time: THIS WEEK, Thursday, November 21 @ 2:00 pm (ET)

Save My Spot:
https://event.on24.com/wcc/r/2126859/009A720C10CC34C7FDEBABD33ED0B418?partnerref=CHN3
[Heads-Up] This New, Unusual Ransomware Strain Goes Exclusively After Servers

Danny Palmer at ZDNet alerted on the following: "An unconventional form of ransomware is being deployed in targeted attacks against enterprise servers – and it appears to have links to some of the most notorious cyber criminal groups around.

The previously undetected server-encrypting malware has been detailed in research by cyber security analysts at Intezer and IBM X-Force, who've named it PureLocker because it's written in written in the PureBasic programming language.

It's unusual for ransomware to be written in PureBasic, but it provides benefits to attackers because sometimes security vendors struggle to generate reliable detection signatures for malicious software written in this language. PureBasic is also transferable between Windows, Linux, and OS-X, meaning attackers can more easily target different platforms.

"Targeting servers means the attackers are trying to hit their victims where it really hurts, especially databases which store the most critical information of the organization," Michael Kajiloti, security researcher at Intezer told ZDNet.

The source code of PureLocker ransomware offers clues to its exclusive nature, as it contains strings from the 'more_eggs' backdoor malware. This malware is sold on the dark web by what researchers describe as a 'veteran' provider of malicious services.

These tools have been used by some of the most prolific cyber criminal groups operating today, including Cobalt Gang and FIN6 -- and the ransomware shares code with previous campaigns by these hacking gangs. It indicates the PureLocker is designed for criminals who know what they're doing and know how to hit a large organization where it hurts.

It's currently uncertain how exactly PureLocker is delivered to victims, but researchers note that more_eggs campaigns begin with phishing emails, so the ransomware attacks could begin in the same way, with the final payload likely to be the final part of a multi-staged attack. Continued:
https://blog.knowbe4.com/heads-up-this-new-unusual-ransomware-strain-goes-exclusively-after-servers
Will You Get Spoofed Over the Holidays? Find out for a Chance to Win!

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against unless your users are highly ‘security awareness’ trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. Plus if you’re in the US or Canada, you'll be entered for a chance to win a $500 Amazon Gift Card (just in time for the holidays)!

Find out now if your email server is configured correctly, many are not!

Try to Spoof Me!
https://info.knowbe4.com/dst-sweepstake-nov-dec2019
Get Your Hands on KnowBe4's Important 2020 Security Threats and Trends Survey Results *First*

Once a year, KnowBe4 runs its Security Threats and Trends Survey. We’re polling IT and Security executives, administrators and professionals like yourself on what technology and business issues you consider your organization's biggest security threats and challenges over the next 12 months. These include Phishing scams, CEO fraud, Ransomware, malware and targeted hacks.

It will take you 5 minutes tops. As a reward, you get the results first, and will allow you to compare yourself with your peers. It's multiple choice with one essay question. ALL responses are confidential.

Anyone who completes the survey and includes their Email address in the essay question along with a comment gets a complimentary copy of the Executive Summary and the accompanying PowerPoint presentation of the survey results. The person who provides us with the best essay comment will win a USD 100 Amazon gift card.

Here's the link to the new 2020 survey. Thanks in advance for participating!
https://www.surveymonkey.com/r/SY9BDLQ

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: [Heads-Up] Scam of the Week: Thousands of Hacked Disney+ Accounts Are Already for Sale on Criminal Sites:
https://blog.knowbe4.com/heads-up-thousands-of-hacked-disney-accounts-are-already-for-sale-on-criminal-sites
Quotes of the Week
"Liberty cannot be preserved without general knowledge among the people."
- John Adams (1735 - 1826)

"Without freedom of thought, there can be no such thing as wisdom - and no such thing as public liberty without freedom of speech." - Benjamin Franklin (1706 - 1790)



Thanks for reading CyberheistNews
Security News
SIM-Swapping, Social Engineering, and Sextortion

A Canadian man who fell victim to a SIM swapping attack said the fraudster gained access to his cloud account and threatened to send his intimate tapes to his coworkers and relatives unless he paid $25,000 worth of bitcoin, according to Lisa Vaas at Naked Security. The attacker sent him screenshots of the videos as proof that they had access. The victim refused to pay, and he said the attacker doesn’t seem to have released anything yet. He stressed, however, that the knowledge that the videos could be released at any time is like living “under the sword of Damocles.”

“It’s going to hang over my head for the rest of my life,” he said.

SIM swapping is more difficult to defend against than many other attacks because it involves social engineering an employee at your mobile provider into porting your number to an attacker’s device. As a result, it happens without your knowledge and the first indication you receive is when your phone stops functioning.

Vaas emphasizes that there are precautions you can take to mitigate this threat. First, avoid falling for phishing attacks designed to steal your credentials. SIM swapping can allow attackers to bypass SMS-based two-factor authentication, but only if they already have your usernames and passwords.

Second, don’t answer security questions accurately. Attackers can often deduce the answers to these questions, so it’s better to treat them as another password and use a random string of characters. Using a password manager can make this an easy process.

“The crooks might guess that your first car was a Toyota, but they’re much less likely to figure out that it was a 87X4TNETENNBA,” Vaas writes. New-school security awareness training can teach your employees how to keep their information secure even when matters outside of their control put their data at risk. Naked Security has the story:
https://nakedsecurity.sophos.com/2019/11/12/sextortionist-whisks-away-sex-tapes-using-just-a-phone-number/
Fake Job Postings Lead to Money Laundering

Researchers at Forcepoint have come across two different types of scams targeting people who are looking for home-based jobs. The first scam was a money laundering operation that involved a website purporting to offer full-time remote language-teaching jobs.

The researchers say this site was suspicious because it used the contact information of one of their friends without his permission, but the purpose of the site wasn’t immediately apparent since it wasn’t a phishing site and didn’t host any malware.

When the researchers’ friend spoke with local law enforcement, however, he learned there was an ongoing investigation into the site. The police told him that someone who applied for a job on the site had grown suspicious of their new employer because the whole affair seemed ambiguous and shady.

Eventually, the employer told the applicant that they were going to move money through their bank account into a different account, at which point the applicant realized the purpose of the job posting was to find unwitting individuals to participate in money laundering.

The second scam involved a botnet that used a list of compromised SMTP accounts to churn out fake job postings. The emails informed recipients about a “home-based job opening with our Customer Service division,” which started at $18 per hour and offered a flexible work schedule.

Like the previous scam, this campaign didn’t involve any traditional phishing techniques or malware, and Forcepoint believes these emails are meant to rope people into money laundering schemes.

Forcepoint notes that this type of scam is more sophisticated than most phishing attempts, since it involves interacting with the victim and using social engineering to trick them into committing illegal acts. New-school security awareness training can give your employees a healthy sense of suspicion so they can recognize these scams in advance. Forcepoint has the story:
https://www.forcepoint.com/blog/x-labs/persuasiveness-remote-job
People Need to Work Together to Spot Con Artists

It might not be possible to resist a good con artist, according to award-winning author, journalist, and champion poker player Maria Konnikova. On the CyberWire’s Hacking Humans podcast, Konnikova explained that she interviewed several con artists for her upcoming book, “The Biggest Bluff,” but said she eventually had to stop talking to them because she felt their charisma beginning to warp her own opinions.

“It just makes you realize how powerful they are, how charismatic,” Konnikova said. “If you saw them coming, if you could actually spot this, then they wouldn't be very good con artists. So I think it's something very deep in them and deep in us that causes that connection, that trust to build. And you see how easy it is to take advantage of our trust, of our confidence. It's frightening.” Continued:
https://blog.knowbe4.com/people-need-to-work-together-to-spot-con-artists
What KnowBe4 Customers Say

"Hi Stu, so far we've been happy with the service, it's made rolling out the baseline test and collecting results painless and enabled our internal project manager self-sufficient in running the campaigns. Being a smaller company we don't have any dedicated security analyst to manage and run phishing campaigns, so having a platform that makes it this simple is fantastic for us. Thank you for reaching out."
- K.J., Associate Director of Technology



"Hi Stu, good to hear from you, much appreciated. Yes we’ve been delighted with both KnowBe4 and KCM; in fact, the whole reason we switched to KCM was due to the positive experience with KnowBe4. Both Tom Brady and Brady Price have been great in assisting us with our Compliance Program; I appreciate their time and help.

If you’re asking for input, my only recommendation is to add a Medicare Fraud Waste & Abuse Training, FWA, it’s required training by all providers across the country servicing Medicare, so the majority of your clients would welcome it. The government provides the details for the training, so most of the work is done. Thanks again for all you and your team do for us."
- G.M., Director of Risk Management
The 10 11 Interesting News Items This Week
    1. What Keeps NSA Cybersecurity Boss Anne Neuberger Up at Night:
      https://www.wired.com/story/anne-neuberger-national-security-agency-wired25/

    2. The 6th Annual Women in Cyber Reception. KnowBe4's SVP Cyber Operations Rosa L. Smothers speaks:
      https://www.thecyberwire.com/videos/wcs6/Rosa-Smothers-KnowBe4.html

    3. Experts On Twitter's New Deepfake Policy To Alert, But Not Remove:
      https://www.informationsecuritybuzz.com/expert-comments/experts-on-twitters-new-deepfake-policy-to-alert-but-not-remove-manipulated-content/

    4. Silly Phishing Scam Warns That Your Password Will be Changed... or else:
      https://www.bleepingcomputer.com/news/security/silly-phishing-scam-warns-that-your-password-will-be-changed/

    5. Phishing attacks are increasingly sophisticated: here’s how to stay safe:
      https://www.itsecurityguru.org/2019/11/11/phishing-attacks-are-increasingly-sophisticated-heres-how-to-stay-safe/

    6. How to hack a political party: The five attacks that Jeremy Corbyn and Boris Johnson should fear:
      https://www.telegraph.co.uk/technology/2019/11/13/hack-political-party-five-attacks-jeremy-corbyn-boris-johnson/

    7. Your gift cards are a top target for scammers this holiday season:
      https://www.cnbc.com/2019/11/08/gift-cards-are-a-top-target-for-scammers-this-holiday-season.html

    8. That Match You Met Online May Not Be Human:
      https://knx1070.radio.com/articles/cbs-news/match-you-met-online-may-not-be-human

    9. Scammers favor malicious URLs over attachments in email phishing attacks:
      https://thenextweb.com/security/2019/11/08/scammers-favor-malicious-urls-over-attachments-in-email-phishing/

    10. The password reuse problem is a ticking time bomb:
      https://www.helpnetsecurity.com/2019/11/12/password-reuse-problem/

    11. BONUS: Interested in cybersecurity law and policy? Check out “Caveat,” the CyberWire's newest weekly podcast addressing cybersecurity law and policy, with a particular focus on surveillance and digital privacy. Take a listen:
      https://thecyberwire.com/podcasts/caveat.html
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews