blog-slider.jpg

KnowBe4

Security Awareness Training Blog


Keeping You Informed. Keeping You Aware.

Urgent Phishing Alert: Warn Your Users Against AdultFriendFinder Scams Now

Your end-users may have seen this in the news yesterday, or will read about it today.

A massive data breach of the adult dating and entertainment company Friend Finder Network has exposed more than 412 million accounts, including (and this is really bad) over 15 million "deleted" records that were not purged from the databases.

The exfiltrated records included 339 million accounts from AdultFriendFinder.com, which the company promotes as the "world's largest sex and swinger community."

But wait, there's more...

Scam Of The Week: FBI Warns Against Data Breach Extortion

The number of data breaches keeps going up. Last week it was more than 1,000 Wendy's where credit card records got ripped off. Fraudsters quickly use the news release of a high-profile data breach to kick an extortion campaign into gear.

The recent uptick in email extortion comes from the data breaches at organizations like Ashley Madison, the IRS, Anthem, and many others where millions of records with (sometimes highly) personal information was stolen.

Scam Of The Week: LinkedIn Email Change Your Password

You probably remember the 2012 LinkedIn data breach. It was a big deal because something like 6.5 million user account passwords were posted online, but LinkedIn never confirmed the final number of people that were impacted.

Well, it turns out that really 117 million records were stolen which have both emails and passwords that were easily decrypted. And this new number is all over the news because that database is now sold on the dark net. It is not unusual for such stolen material to turn up for sale long after the initial data breach.

LinkedIn is invalidating the compromised passwords and currently sending out emails to users, urging them to change their passwords in response to this report (though the email LinkedIn is sending is vague about the actual nature of the threat).

What Is The #1 Cause Of Healthcare Data Breaches?

As a new story about hospital ransomware or a stolen laptop containing PHI seemingly emerges every day, it comes as no surprise that healthcare data breaches have steadily increased in frequency and severity since 2010. Read about new study by Ponemon Institute which reveals that the health care data breaches are going to cost about 6.2 billion dollars to the industry

It's The Employees, Stupid

Despite the prevalence of cybersecurity incidents, the study showed that the majority of healthcare organizations and business associates were most concerned with negligent or careless employees causing healthcare data breaches.

Ransomware Attack Shuts Down Medstar Washington Hospital

The Washington Post reported that a ransomware infection penetrated the computer network of MedStar Health early Monday morning, forcing the Washington health care behemoth to shut down its email and vast records’ database.

What is the REAL cost of a data breach?

A new survey done by Kaspersky with participation of 5,500 companies in 26 countries finally shows the real cost of a data breach broken out by Small and Medium Business (SMB) and Enterprise. They also show the direct and indirect costs for each, which gets you to some hard numbers you can use to request budget.

The data shows that a security breach usually costs large enterprise-level organizations an average of well over half a million dollars ($551,000) and $38,000 for SMBs. And then you can add the indirect costs: $69,000 for larger companies, and $8,000 for SMBs. 

90% of companies experienced some sort of security breach

You can see that calculating the costs is a worthwhile exercise, as 9 out of 10 companies that took part in the survey admitted to a security breach, and 46% of them even said they've lost critical and sensitive information. Now, I'm sure that the survey was self-selecting so you need to take that 90% with a grain of salt. Still...

Included in the direct costs were hiring IT consultants (69% of the companies), hiring incident response consultants (43%), lawyers (37%), physical security consultants (36%), auditors and accountants (35%), management consultants (35%), and PR and corporate image consultants (24%). The indirect costs are budget you need to spend on additional staff hiring and training, infrastructure upgrades etc. 

What worries IT Pros the most regarding data breaches?

Half Of Your Users Are Now Spear Phishing Targets

In a presentation at the Intelligence & National Security Summit, Bill Evanina, Director of the National Counterintelligence and Security Center (NCSC) announced "There have been just over 500 breaches so far this year, some of which made the news, and 47 percent of adult Americans have been the victim of a breach in the last three years."

Stop The AshMad Insanity!

First a 10Gig dump with the full Ashley Madison database. Then a 20Gig dump with their whole Github repository, and then to top it all off a 300G(!) dump. In an interview with Motherboard the hackers claimed to have data which includes employee emails, internal documents, nude photographs, and private chats between members. However, the Impact Team said it would not release explicit photos of AshMad customers, but did not rule out publishing the private chats and other photographs posted through the adultery website. 

When asked about AshMad security, they said "Nobody was watching. No security", when it broke into their servers repeatedly over the past few years. One hacker said, "[We] got in and found nothing to bypass."

The release last Tuesday contained customer data belonging to U.S. government officials, British civil servants and high-level executives at European and North America corporations. We have a copy and will make it available for security purposes. However...

Should You Check For Employees' Emails?

Phishing Alert: Warn Your Users Against Ashley Madison Scams Now

Your end-users saw this in the news yesterday, or will read about it today. The hackers who stole more than 36 million records from the Ashley Madison site (which makes it easy to cheat on your spouse), have now posted all the records for everyone to see. This is a bad one.

Cyber criminals are going to leverage this event in a lot of different ways: (spear-) phishing attacks, bogus websites where you can "check if your spouse is cheating on you", or ways to find out if your own extramarital affair has come out.

Any of these 36 million registered users are now a target for a multitude of social engineering attacks. People that have (had) straight or gay extramarital affairs can be made to click on links in emails that threaten to out them.

I have already seen the phishing emails that claim people can go to a website to find out if their private data has been released. This is a nightmare that will be exploited by spammers, phishers and blackmailers who are now gleefully rubbing their hands, let alone the divorce lawyers and private investigators that are pouring over the data now.

Here is one of the first real examples of AshMad extortion: 

Unfortunately, your data was leaked in the recent hacking of Ashley Madison and I now have your information.

If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins (approx. value $225 USD) to the following address:

1B8eH7HR87vbVbMzX4gk9nYyus3KnXs4Ez [link added]

Sending the wrong amount means I won't know it's you who paid.

You have 7 days from receipt of this email to send the BTC [bitcoins]. If you
need help locating a place to purchase BTC, you can start here.....


What To Do About It

I suggest that you take immediate preventive action. It only takes one second for a worried end-user (or admin) to click on a link in an email and expose the network to attackers. I recommend you send something like this to your friends, family and end-users. Feel free to edit.

"Yesterday 36 million names, addresses and phone numbers of registered users at the Ashley Madison site (which makes it easy to cheat on your spouse) were posted on the Internet. All these records are now out in the open, exposing highly sensitive personal information.

Internet criminals are going to exploit this in many ways, sending spam, phishing and possibly blackmail messages, using social engineering tactics to make people click on links or open infected attachments. Be on the lookout for threatening email messages which slip through spam filters that have anything to do with Ashley Madison, or that refer to cheating spouses and delete them immediately, in the office or at the house."

SHOCKER: Data Breaches Cost Big Companies Very Little

Two articles today in Fortune Magazine and Harvard Business Review each lifted a piece of the veil about a dirty little secret about data breaches. From Home Depot to Target to Sony, big companies that were hacked because of a successful phishing attack barely felt it compared to their total revenues or in their stock price.

Subscribe To Our Blog

Phish Your Users




Get the latest about social engineering

Subscribe to CyberheistNews