CyberheistNews Vol. 9 #24 [Heads-Up] Nigerian Bad Guys Go Over Dead Bodies to Carry out Cyber Crimes

CyberheistNews Vol 9 #24

Greetings! It’s our pleasure, here at the CyberWire (, to be KnowBe4’s guest editors at CyberheistNews this week. We hope you enjoy and profit from what we’ve found to share. And our thanks to KnowBe4 for opening this issue to us. Here are some of the news items we think are interesting for you.
[Heads-Up] Nigerian Bad Guys Go Over Dead Bodies to Carry out Cyber Crimes

One of the oldest pieces of phishbait in the scammers’ chum bucket is the “Nigerian Prince Scam,” the advance fee come-on that’s come to be known as “419 fraud” after the section of the Nigerian criminal code that makes it illegal.

The Nigerian underworld evolves too, however, so let’s take a look at what they’re up to lately. Organized cybercrime groups don’t restrict themselves to one type of criminal activity; rather, they operate like a growing business, running a variety of different scams at once to bring in money from many sources.

Security researchers at Agari discovered this after tracking a large West African criminal group over the course of six months and reconstructing the timeline of its growth and activities since 2008.

The group, which Agari has dubbed “Scattered Canary,” began with two individuals living in southwestern Nigeria who ran Craigslist scams between 2008 and 2010. These scams netted them an average of $24,000 per month, which they split between them. One of these individuals, who Agari calls “Alpha,” started carrying out romance scams in 2010. Alpha would manipulate his victims into handing over their money until they had no more to give, at which point he would use them as mules to assist him with more scams.

The researchers relate the sad story of one of these victims, who was exploited by Scattered Canary until her death in 2017. Even after her passing, the group still used her personal information to carry out crimes, which the researchers say “exemplifies the lengths to which these groups use and reuse their victims until there is literally nothing left to exploit.”

In late 2015, Alpha began launching widespread phishing campaigns, and partnered with other scammers. In 2016, the group started branching out into more targeted BEC attacks, while still running romance scams and credential phishing.

By 2017, Agari says Scattered Canary was a “well-oiled machine,” with numerous employees in various roles. They began phishing US government agencies, knowing that they were safe in Nigeria, since they could bribe local law enforcement to leave them alone.

The group now churns out BEC scams to every target they can find, using online lead services to search out potential victims. In November 2018, Scattered Canary tried to launch a BEC attack against Agari’s CFO, which led the company’s researchers to begin looking into the group. The researchers say the scope of the group’s activities shows that organized cybercrime has reached unprecedented heights.

“As we have discovered, the same groups that reap billions in BEC schemes each year are also partly to blame for the $360 million lost to romance scams, the $1 billion hijacked in real estate transactions, and millions more pilfered through W-2 scams, payroll diversions, and other types of fraud,” they write.

“This suite of email-based attack vectors is operated concurrently by modern-day cybergangs including Scattered Canary, and represent the apex of years of both massive growth and massive success.”

Cybercrime is a profitable and growing industry in which people make a living by honing scams to be as widespread and as effective as possible. These scams will target you and your employees, and new-school security awareness training is the best defense against them. SecurityWeek has the story:
A Look Behind The Curtain with Kevin Mitnick: Hacking Data Sources That Bad Guys Use!

Ever wonder how hackers, spies, and con-artists gather such detailed and convincing intel on their targets? Kevin Mitnick, the world's most famous hacker and KnowBe4's Chief Hacking Officer, knows.

The truth is that it is shockingly easy to gather detailed intelligence on individuals and organizations. Everything the bad guys need to specifically target your end users is out there for the taking. Banking and credit card accounts, driver's license numbers, geolocation details and even IT secrets can be found easily and through public resources! There’s even a name for it: Open Source Intelligence (OSINT).

Join us for this mind-blowing webinar where, Kevin and Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, will give you an inside look into some of Kevin’s most prized, underground OSINT secrets and how the bad guys use those techniques to target your users and your organization.

Find out what to watch out for and learn how to strengthen your end-user “human firewall” against OSINT-fueled attacks before it's too late!

Date/Time: TOMORROW, June 12 @ 2:00 pm (ET)

Save My Spot!
Impersonation Phishing Hits the Legal Sector Hard

Legal firms are particularly susceptible to impersonation phishing attacks.

That’s the conclusion Martin Parrin offers in a piece he published in Today’s Conveyancer. Parrin points to a recent scam highlighted by the UK’s Solicitors Regulation Authority (SRA), in which criminals set up a website that very convincingly spoofed a real London legal firm called “ABK Solicitors.”

(Transatlantic note: Americans are likely to call “solicitors” “lawyers,” the kind of people you hire to help you draft a will or incorporate a business. It’s easy to generalize from the British case to other legal systems.)

Using open-source information, the attackers included the company’s legitimate SRA ID and the real names of attorneys at the firm, and then sent emails posing as these employees. These emails provided clear instructions for potential victims to pay £1,500 in preparation for a deal.

Parrin points out that this is just one of many spoofing attempts targeting the legal sector in recent months. “In the past three months, the Solicitors Regulation Authority (SRA) have been formally warning the public and law firms on an almost daily basis about new and emerging threats,” he says.

“Out of the 92 days between March and May, the SRA has issued 86 separate scam alerts. In May, 30 alerts were placed on the SRA’s website, adding to the 27 warnings from April and 29 fraud threats in March.”

Any company that uses email as a regular part of its business operations is susceptible to BEC attacks, and the risk increases with the sensitivity of those operations. Parrin says that legal firms are prime targets for these attacks: they handle an exorbitant amount of sensitive information and large financial transactions on a daily basis.

“When fraudulent emails and websites are spoofed to such a high standard that it becomes difficult to separate the genuine from the fake, it is imperative that law firms prepare their cyber defences and secure themselves better in the future,” he writes.

Criminals are improving their ability to launch attacks that rely primarily on social engineering rather than technical compromise. Organizations can build up their employees’ resistance by providing their employees with security awareness training. But make it interactive and engaging: half an hour of PowerPoint in the break room twice a year won’t cut it. Today’s Conveyancer has the story:
See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

Good news! We have expanded our KCM GRC product with the new Vendor Risk Management module. KCM now features four modules: Compliance, Policy, Risk, and Vendor Risk!

Join us Wednesday, June 19 @ 2:00 pm (ET), for a 30-minute live product demo of KnowBe4's new KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements across your organization and third-party vendors and ease your burden when it's time for risk assessments and audits.
  • [NEW] Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Wednesday, June 19 @ 2:00 pm (ET)

Save My Spot!
Small Businesses Are Threatened by Cyberattacks, Even Without an Online Presence

We’re mentioning the importance of employee training and education a lot. Of course, we’re blogging as KnowBe4’s guests, and new-school awareness training is KnowBe4’s bread-and-butter. But at the CyberWire ( we’re believers. In fact, we’re customers, and paying customers, too, not users benefiting from some kind of promotional swap. And not a bit of buyer’s remorse have we felt. We’re also a small business, and this next story should send shivers up the spines of every small business out there.

A startup in New York went out of business less than two months after it began making money due to fraudsters using its payment systems to test stolen credit cards, according to the Wall Street Journal.

Sociology professor Jessie Daniels and university librarian Polly Thistlethwaite launched Innovative Higher Ed Consulting (IHEC) last year to help researchers publicize their work. They opened a Bank of America business account and a Payeezy account to process payments. Bank of America Merchant Services sent them an email in September telling them about optional fraud protection features, but they didn’t turn these on because their website was still under construction, and Payeezy wasn’t hooked up to it yet.

They began accepting payments via email in December, and had made $1,200 by the end of January. On January 23rd, however, criminals started using the company’s Payeezy service to test the validity of stolen credit cards with $1 charges. Over the next eight days, they ran approximately 100,000 credit cards through the system, nearly 4,000 of which resulted in fraudulent charges.

IHEC’s owners worked with the bank and Payeezy to stop the activity, but were unsuccessful, even after they activated security features. On February 1st, the charges ceased for unknown reasons. In March, Bank of America Merchant Services billed IHEC $27,000 for the chargebacks, and the startup closed its doors in May.

Larry Ponemon, founder and chairman of the Ponemon Institute, told the Wall Street Journal that banks should require businesses to implement standard security protections, rather than making them an optional feature.

“It’s not unusual to hear that a small business in the formative stage has a relatively significant exposure,” Ponemon said. “We have seen this time and time again.”

However, an executive at Bank of America Merchant Services said that these features are optional because they don’t want to “minimize the amount of commerce a business can do.” He added that small businesses have to be held to the same standards as a large company. “Cars come with seat belts,” the executive said. “They save lives. It’s up to you to click that in.”

Small businesses sometimes have a false sense of security because they assume they aren’t on any attackers’ radar, but criminals know that these companies often struggle to afford adequate defenses. They also tend to have cultures of trust--everyone knows everyone else, and usually likes them, too. That can tend to lead them to overlook some of the wilier forms of crime that come after them.

Some basic, relevant knowledge of cyberattacks and social engineering can go a long way. New-school security awareness training can help you and your employees avoid falling victim to these attacks, as well as give you a better idea of where your weak spots are. The Wall Street Journal has the story:
[On-Demand] 10 Incredible Ways You Can Be Hacked Through Email

Email is still the #1 attack vector the bad guys use. A whopping 91% of cyberattacks start with a phishing email, but email hacking is much more than phishing and launching malware.

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist and security expert with over 30-years of experience, for this on-demand webinar where he will explore 10 ways hackers use social engineering to trick your users into revealing sensitive data or enabling malicious code to run.

Plus, he will share a (pre-filmed) hacking demo by Kevin Mitnick, KnowBe4's Chief Hacking Officer where he captures an email hash with no clicks and no malicious code.

You’ll want to see this... Watch It Now!
Let's Stay Safe out There... The CyberWire Helps!

Thanks for staying with us, and thanks again to KnowBe4 for inviting us into CHN this week. Before we leave you with some particularly interesting links, may we invite you to consider subscribing to the CyberWire? It’s free, and it delivers fresh cyber security news every day of the week except Sunday. You can sign up for our emails here:

And if podcasting is to your taste, you’ve also come to the right shop:

As Stu would say, “let's stay safe out there.”

Warm Regards,
The CyberWire

Quotes of the Week
"Don't use compulsion, but let your children's lessons take the form of play. You will learn more about their natural abilities that way." - Plato, Philosopher (427 - 347 BC)

"If the highest aim of a captain were to preserve his ship, he would keep it in port forever."
- Thomas Aquinas, Philosopher and Theologian (AD 1225 - 1274)

Thanks for reading CyberheistNews
Security News
Polymorphic Phishing Attacks Are Skyrocketing

IronScales released data showing that 42% of phishing email attacks are polymorphic, enabling them to evade many security filters. The company has observed 11,733 polymorphic phishing attacks over the past twelve months. Nearly 3,000 of these attacks had between 11 and 50 permutations, 704 involved between 51 and 250 permutations, and 96 of the attacks underwent between 251 and 521 alterations.

IronScales says that even small changes to an email can allow it to bypass email filters that operate by detecting malicious signatures.

“Polymorphism occurs when an attacker implements slight but significant and often random changes to an emails’ artifacts, such as its content, copy, subject line, sender name or template in conjunction with or after an initial attack has deployed,” they explain.

“This strategic approach enables attackers to quickly develop phishing attacks that trick signature-based email security tools that were not built to recognize such modifications to threats; ultimately allowing different versions of the same attack to land undetected in employee inboxes.”

The company points out that many cheap phishing kits available online now have built-in, automated polymorphic capabilities, so this behavior will likely become a standard feature in phishing campaigns. It’s a familiar pattern: the attacker adapts to the defender, and what were once advanced techniques and tools become commodities any hood can get their hands on. An aware human being, alert to the possibility of social engineering and quick to spot the scam, is the most adaptable defense.

You cultivate those skills through education. New-school security awareness training is one of the most comprehensive defenses against phishing, because it enables your employees to identify new attacks that get through your technical defenses. PRWeb has the story:
Flash-Based SSDs Could Offer Efficient Ransomware Defense

Researchers at the University of Illinois have developed a tool that they hope will defend against ransomware by using cheap, common hardware to facilitate secure backups. In a recent paper the researchers proposed utilizing flash-based solid-state drives (SSDs) to preserve earlier states of data at the firmware level, which is far more secure than software-based backup solutions.

Software backups are essentially useless when malware gains kernel privileges. Once it has them, the malware can simply encrypt the backups along with everything else.

Flash-based SSDs inherently save data for a certain period of time, even after a file has been modified or deleted. New versions of files are saved to empty locations, and the old versions are marked as invalid. When storage on a device reaches a certain threshold, the device will run a garbage collection process that frees up space by deleting the data that have been marked invalid.

The researchers found a way to reliably preserve this data in a linear and recoverable way, so that victims of ransomware could potentially restore files from up to eight weeks before an attack.

The Illinois researchers noted that attackers can still craft attacks to overcome their technique. For example, they could slowly write and delete data until the SSD is overwritten. However, victims are much more likely to notice this activity before the old data is deleted.

Isolated hardware backups are obviously the most secure option, but the researchers’ proposal seems to offer a cost-effective, additional layer of protection that could be built into future computers. They plan on improving data retention time and performance efficiency, and adding additional analysis capabilities. It will be worth keeping an eye on.

That said, while technical security solutions are improving, they’ll likely never be perfect, and it’s essential for organizations to implement the best safeguards possible while still ensuring that attacks are warded off in the earliest possible stages. Help Net Security has the story:
Phishing Emails Ask Victims to Approve Incoming Messages

Attackers are sending phishing emails containing a list of supposedly undelivered emails meant for the recipients’ Outlook Web Mail inboxes, BleepingComputer reports. The list includes sender email addresses and important-looking subject lines regarding payment authorizations, bank updates, and shipping information.

Each entry in the list has buttons that purportedly allow users to “Release,” “Always Allow,” or “Deny” the pending emails. If users click on any of these options, they’ll be taken to a spoofed Outlook login page where their credentials will be stolen.

BleepingComputer notes that this campaign is using hacked websites to host its phishing pages, and not taking advantage of cloud hosting services. That means the phishbait’s URL won’t end with a Microsoft-owned domain. So users who are in the habit of looking at the URL before they enter their credentials are less likely to fall victim. (Of course, you learn to check URLs because someone’s trained you to do so. More on this in a moment.)

The email template hitting Web Mail inboxes is clever, however, because it distracts recipients from the emails and the links in them, and directs their attention to potentially urgent emails that can’t be examined until after users have handed over their credentials.

The phony email subject lines are intentionally designed to make victims rush to investigate, making them more likely to neglect the URL or other inauthenticities. Your gut reaction isn’t a bad place to start. Any email that makes you feel anxious and asks you to do something immediately should be treated with suspicion. But of course your gut reaction isn’t the best place to finish.

That’s where training helps: you can move from uneasiness to well-founded judgment. New-school security awareness training can teach your employees how these scams work, so that they’ll recognize the signs of social engineering when they encounter them in the real world. BleepingComputer has the story:
What KnowBe4 Customers Say

"Your platform has made a huge positive impact in our organization. The training and phishing tests have changed the behavior of our users. Some of our users have given me feedback that things they would have clicked on 12 months ago vs. thinking twice now and having our group take a look at the email.

Our CEO is a big proponent of security awareness training and embraces everything that I’m doing to make our users more secure along with our environment.

I attended the KnowBe4 conference at the beginning of May. I was impressed with the conference and I have brought some ideas back that I’m looking at implementing here. I’m looking forward to your next conference. Every time I have a conversation with someone, I recommend KnowBe4’s name. You have changed our organization. Thanks."
- P.M., IT Director
The 10 Interesting News Items This Week
    1. Vietnam Cyber Threat: Government-Linked Hackers Ramping Up Attacks:

    2. Russia Effort in 2016 US Election Was 'Vast,' 'Professional':

    3. Warnings of world-wide worm attacks are the real deal, new exploit shows:

    4. Fake Cryptocurrency Trading Site Pushes Crypto Stealing Malware:

    5. New adware "BeiTaAd" found hidden within popular applications in app store:

    6. Inside the Operations of a West African Cybercrime Group:

    7. The Minefield of Corporate Email:

    8. Hollywood lie: Bank hacks take months, not seconds:

    9. ‘I was a Macedonian fake news writer’:

    10. Ransomware isn’t just a big city problem:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

(This week, actually, they’re CyberWire ( faves, not necessarily endorsed by KnowBe4, but we hope they’ll like them, too.)
    • We’re a BYOD (bring-your-own-dog) shop at the CyberWIre, and we’ve just learned that the Royal Army Veterinary Corps has its own official quick march. And that march would be “Drink, Puppy, Drink”--take that, Herr Schrödinger:

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews