Scam Of The Week: ISIS Attack / 12Mil New Malwares Per Month


Scam Of The Week: ISIS Attack

It is a mystery that bad guys have not jumped on this in higher volume. However, a major malware phishing campaign claiming ISIS attacks, has been found in Australia. 

What you may not know is that several cyber gangs use very modern  techniques like Agile software development, beta testing and more. English speaking countries like Australia and the U.K. are used to test and fine-tune malware campaigns which are then unleashed on the U.S. of A.

So, thank you mister bad guy for the advance warning. We now have  a heads-up about something that is going to happen in America in the  very near future: malware campaigns claiming that ISIS will attack  landmarks like the White House, Wall Street, or the new World Trade  Center in New York. It's only a matter of time. So, let's inoculate  our employees ahead of time! Send them this:

"Cyber criminals are using hoax "breaking news" events more and more  to get people to click on links or open attachments. At the moment there is a scam email which claims that ISIS has warned Australian  Police about new attacks in Sydney during 2015. The email tells  recipients to open an attached Word document to read a detailed news  story about the supposed attack threats.

"The claims in the email are bogus and the attached document is  infected with malware. There are no credible news or police reports  about such a warning from ISIS. You are very likely to get scam  emails claiming ISIS attacks like this at the house or in the office.  Do not open them, do not click links, do not open attachments and delete these emails. Remember: "When in doubt, throw it out!"

For KnowBe4 customers, we have a new template in Current Events, with the title: "Breaking News: ISIS Announces When and Where They Will Attack the US" 

AV-Test: "There Are Now 12 Million New Malware Variants Per Month"

The AV-Test site reported that they found 143 Million new malware  samples in 2014 and 12 million new variants per month.

The Independent IT security institute AV-Test regularly publishes a  great statistic about the number of malware strains. Their new report  reveals there are now a whopping 12 million new variants per month.

The AV-TEST Institute registers over 390,000 new malicious programs  every day. These are examined using their proprietary analysis tools and  classified according to their characteristic. Visualization programs  then transform the results into diagrams that are updated regularly  and produce current malware statistics.

Looking at the last year, the month with the greatest number of new  threats was August, when over 18 million new samples were identified  by AV-Test. No wonder that the average antivirus detection lag has expanded from 6 hours to 2 days. Antivirus is not dead but it cannot keep up anymore. See graph here:

The stats reported a total amount of 143 million new malicious software in 2014  , an amazing amount that shows this is automated on  a (criminal) industrial scale. The data shows an exponential growth  in new cyber threats recorded over the years. Mobile malware is also up 75% for 2014 compared to the year before, largely due to the  proliferation of new ransomware campaigns such as ScarePakage. The  number of new malware strains in 2014 is significantly higher than  earlier years. Here are some graphs that illustrate all this at the  KnowBe4 Blog. (By the way, you should subscribe to the blog and get  these alerts real-time.)

These numbers show again that you need to work hard on your  defense-in-depth. And to start out with, by far the best bang for  your IT security budget is effective security awareness training.  Find out how affordable this is for your organization now:

Train Employees And Cut Cyber Risks Up To 70 Percent

It's a well-known fact that employees are the weakest link in IT security.  There is good news though! New research from our friends at Wombat Security  Technologies and the Aberdeen Group gives a solid foundation to the anecdotal  evidence that end-user education cuts down on data breaches. When they are  exposed to cyber risks like phishing, social media, and other attack vectors,  security awareness training can reduce your organization's risk by as much as  70 percent.

The newly published report concludes that despite soft and hardware protection  being in place, the vast majority of security incidents are caused by actions  of untrained company employees. This new report clearly demonstrates that your  relatively low investment in security awareness training helps you to  significantly improve your level of defense-in-depth. It's a great tool  to get budget allocated.

"It's important for security teams to communicate clearly about the risks that  organizations are accepting when their employees' response to cyber threats  is not addressed," says Derek Brink, VP and Research Fellow for Aberdeen Group,  at Harte Hanks Company. "While the public disclosures of the past several  months have provided some startling examples about what can happen when  security awareness and training is ignored, Aberdeen and Wombat have developed  this model to address the most basic and logical question that security teams  so often struggle to address: How does an investment in changing end user  behavior through innovative security education solutions actually reduce the  organization's risk?"

The report concludes that creating budget for security awareness training is  effective in changing employee behavior and measurably reduces security-related  risks by between 45 and 70 percent. Well, I'm glad someone did the homework  and came up with some hard numbers. You can get access at this report for  FREE at the Aberdeen group or Wombat, but you do need to register.

Warm Regards,
Stu Sjouwerman

Quotes Of The Week


Quotes of the Week:

"A lie has to be tended, watched and guarded. A truth you send out  on its own."  - Rick Reilly, American sportswriter.

"He who dares not offend cannot be honest."  - Thomas Paine

Security News


Are Your Email Addresses On A Russian Phishing Site?

We are finding many U.S. commercial email addresses at a Russian  phishing website. It is really a 'staging' area for emails to be  posted by the criminal underground. Sadly, Google indexes this site  and it makes for easy searching. Unfortunately there is nothing  you can do to get emails taken down from this site, but you should  be aware of what is out there.

The (free) KnowBe4 Email Exposure Check (EEC) helps to give you a  better understanding of your security posture in regards to exposed  email addresses on the Internet. Call it your 'email attack surface'.  The emails on this Russian site are more commonly spear-phished.  You can use the EEC report to flag these email addresses so that  you can better tune your spam traps and to monitor for email based  attacks. And obviously you specifically need to give effective  security awareness training to the employees with those exposed  email addresses.

Sign up for a one-time free Email Exposure Check here:

Quick Reminder: InfoSec World Conference & Expo 2015

Put this in your calendar: March 23-25, 2015 - InfoSec World 2015,  coming to Disney’s Contemporary Resort this March, is now just 2  months away!  Don’t miss this 7-track event featuring a lineup  of conference sessions, workshops and summits that address the  most pressing matters in information security today. And, just  for being Cyberheist News subscriber, register with the special  discount code OS15/CHN and you'll receive 10% off the conference  registration fee. To register, simply call the Customer Service  department who can sign you up over the phone: 508-879-7999 ext. 501,  and don't forget to mention your discount code - OS15/CHN!

SMBs Are Now The Preferred Cybercrime Target

I have a great article that you can send to C-level execs in your constant quest for more IT security budget. The main message is simple and communicates a clear and present danger:

"Small and midsized businesses are now the preferred targets for  cybercriminals – not because they are lucrative prizes individually but  because automation makes it easy to attack them by the thousands, and  far too many of them are easy targets."

Taylor Amerding at CSO magazine nailed it: "Does the size of your  enterprise really matter to cybercriminals? Well, yes and no.

"Most experts would agree with Jody Westby, CEO of Global Cyber Risk,  when she says, 'it is the data that makes a business attractive, not  the size – especially if it is delicious data, such as lots of customer  contact info, credit card data, health data, or valuable intellectual  property.'

"But, most experts also say the reality is that Small and Midsized  Businesses (SMB) are more attractive targets because they tend to be  less secure and because automation allows modern cyber criminals to  mass produce attacks for little investment. Here is the article:

IBM: "Human Error" Contributing Factor In 95% Of Incidents

And once again, the strongest IT safeguards often don't do any  good preventing a data breach if a person makes a mistake: In  its 2014 Cyber Security Intelligence Index, IBM found "human  error" to be a contributing factor in 95% of all incidents investigated. Here is the article:

Obama: "Report Data Breach Within 30 days"

President Obama on Monday outlined a proposal that would require  companies to inform their customers of a data breach within 30 days  of discovering their information has been hacked. But depending on  what is put in and left out of any implementing legislation, the effort  could well could lead to more voluminous but less useful disclosure.  Here are a few thoughts about how a federal breach law could produce  fewer yet more meaningful notice that may actually help prevent  future breaches. Article by the venerable Brian Krebs:

WOW You have to see this, 3D Printer that prints entire drone in  a single print including some electronics, super cool:

Introducing Meccanoid G15KS. Your personal robot from the Meccano guys, known in the U.S. as the Erector set. This is great for kids!

words on sticky notes at their desk, they  also apparently will tell Jimmy Kimmel. Enjoy shaking your head in disbelief.  (these people did NOT get security awareness training!!!)


Subscribe To Our Blog

New call-to-action

Get the latest about social engineering

Subscribe to CyberheistNews