There is a massive scam campaign going on, this time a very well executed Netflix phishing attack.
The scam targets subscribers telling them that their account is about to be canceled. The well-designed, individualized fake email convinces customers to update their account information to avoid suspension. This results in stolen personal and credit card information.
The email has the subject line “Your suspension notification” and includes a link where the subscriber is taken to a fake Netflix page which requires their log-in information as well as credit card number.
The scam was detected Sunday and it targeted nearly 110 million Netflix subscribers. As mentioned, the fake site includes Netflix’s logo as well as popular Netflix shows like “The Crown” and “House of Cards” to make it seem legitimate.
Archive for Security Awareness Training
Organizations in Russia, Ukraine and the U.S. are under siege from Bad Rabbit, a new strain of Ransomware with similarities to NotPetya the last horrible outbreak.
The outbreak started Tuesday and froze computer systems in several European countries, and began spreading to the U.S., the latest in a series of attacks.
Department of Homeland Security’s Computer Emergency Readiness Team issued an alert saying it had received “multiple reports” of infections.
Russia’s Interfax news agency reported on Twitter that the outbreak shut down some of its servers, forcing Interfax to rely on its Facebook account to deliver news.
Bad Rabbit Starts With Social Engineering
The outbreak appears to have started via files on hacked Russian media websites, using the popular social engineering trick of pretending to be an Adobe Flash installer. The ransomware demands a payment of 0.05 bitcoin, or about $275, from its victim, though it isn’t clear whether paying the ransom unlocks a computer’s files. You have just 40 hours to pay.
Bad Rabbit shares some of the same code as the Petya virus that caused major disruptions to global corporations in June this year, said Liam O’Murchu, a researcher with the antivirus vendor Symantec Corp.
Based on analysis by ESET, Emsisoft, and Fox-IT, Bad Rabbit uses Mimikatz to extract credentials from the local computer’s memory, and along with a list of hard-coded credentials, it tries to access servers and workstations on the same network via SMB and WebDAV.
The hardcoded credentials are hidden inside the code and include predictable usernames such as root, guest and administrator, and passwords straight out of a worst passwords list. (Note To Self: all user passwords need to be strong, guide all employees through a strong password training module ASAP.)
As for Bad Rabbit, the ransomware is a so-called disk coder, similar to Petya and NotPetya. Bad Rabbit first encrypts files on the user’s computer and then replaces the MBR (Master Boot Record).
Ouch, that basically bricks the workstation!!!
Learn how to FIGHT Ransomware and stop being a victim!!!
When news broke that the credit reporting agency Equifax had suffered a data breach, consumers around the country began to question the safety of their personal information.
After all, credit reporting agencies have access to most of your personal identifiable information (PII): name, address, birth date, Social Security number, and more.Finding out that the PII for more than 143 million US consumers had been stolen was upsetting, to say the least.
Now, consumers are being cautioned about what can happen with that information, and what steps they can take to protect themselves.
1. Beware of phishing attempts in “news” articles:
Immediately after the announcement of the data breach, articles began circulating that contained a link that lets you find out if your data was stolen. While Equifax has a dedicated web page that lets you enter your information and see if you’ve been exposed, it takes no work at all for scammers to create their own link, request your information for “verification” purposes, and then steal your data. Before clicking any links or entering any personal data, make sure you’re using a verified link that was issued by the correct source.
2. Emailed phishing attacks have already been reported:
There are already scam emails in circulation that suggest you check your credit report by using their handy link. The easiest way to verify an email’s sender is to hover your mouse over the sender’s name. The actual address used will appear in a small box. To be on the safe side, don’t click through from any emails you receive; if you’re told to check your credit report, use a verified request service or form instead of the emailed link.
3. Be on the lookout:
Because genuine information was stolen, be extra diligent about monitoring your account statements, looking for unauthorized charges, tracking and reporting any suspicious activity, and keeping a close eye on your credit reports. Never provide your sensitive information for verification purposes; if you receive a warning or alert, contact your financial institution directly using an approved contact method.
To visit Equifax’s verified link to discover if your information was stolen, go directly to Equifax’s website and follow the steps they suggest. If you do experience any strange activity on your accounts, report it immediately, no matter how minor it might seem at first. Be sure your antivirus software is up-to-date to block any malicious threats from fraudulent emails or messages, and consider placing fraud alerts and security/credit freezes on your credit report with the three reporting agencies if your information was accessed.
This newly discovered ransomware strain is targeting healthcare, education, manufacturing and tech sectors in the US and UK, using customized spear phishing emails.
Defray is demanding a relatively high ransom amount – $5,000 in Bitcoin, and ironically the word defray means “to provide money to pay a portion of a cost or expense.”
The Defray ransomware infection vector is spear-phishing emails with malicious Microsoft Word document attachments, and the campaigns are as small as just a few messages each. The planning and sophistication of the attacks point to a highly-organized cybercrime gang.
“The ransom note follows a recent trend of fairly high ransom demands; in this case, $5000. However, the actors do provide email addresses so that victims can potentially negotiate a smaller ransom or ask questions, and even go so far as to recommend BitMessage as an alternative for receiving more timely responses. At the same time, they also recommend that organizations maintain offline backups to prevent future infections,” Proofpoint researchers said in a blog.
The Proofpoint researchers, further said that the bad guys using this strain were using official logos of hospitals and businesses to trick users into opening malware-laced email attachments. In one of the campaigns, they designed the phishing emails as if they came from a UK-based aquarium with international locations.
“Defray Ransomware is somewhat unusual in its use in small, targeted attacks. Although we are beginning to see a trend of more frequent targeting in ransomware attacks, it still remains less common than large-scale “spray and pray” campaigns,” Proofpoint researchers said. “It is also likely that Defray is not for sale, either as a service or as a licensed application like many ransomware strains. Instead, it appears that Defray may be for the personal use of specific threat actors, making its continued distribution in small, targeted attacks more likely.”
See How Sentree Systems, Corp. can Help!!
Hurricane Harvey hit hard and especially Houston, TX got badly flooded. The death toll is rising and you can also count on low-life cyber-scum exploiting this disaster.
Scammers are now using the Hurricane Harvey disaster to trick people in clicking on links, both on Facebook, Twitter and phishing emails trying to solicit charitable giving for the flood victims. Here are some examples:
- Facebook pages dedicated to victim relief contain links to scam websites.
- Tweets are going out with links to charitable websites soliciting donations, but in reality included spam links or links that lead to a malware infection.
- Phishing emails dropping in a user’s inbox asking for donations to #HurricaneHarvey Relief Fund.
Previous disasters have been exploited like this, and the bad guys are going at it again will all guns blazing. Be wary of anything online covering the Hurricane Harvey disaster in the following weeks.
I suggest you send employees, friends and family an email about this Scam Of The Week, feel free to copy/paste/edit:
“Heads-up! Bad guys are exploiting the Hurricane Harvey disaster. There are fake Facebook pages, tweets are going out with fake charity websites, and phishing emails are sent out asking for donations to #HurricaneHarvey Relief Funds.
Don’t fall for any scams. If you want to make a donation, go to the website of the charity of your choice and make a donation. Type the address in your browser or use a bookmark. Do not click on any links in emails or text you might get. Whatever you see in the coming weeks about Hurricane Harvey disaster relief… THINK BEFORE YOU CLICK.
WASHINGTON, August 28, 2017 — The Internal Revenue Service warned people to avoid a new phishing scheme that impersonates the IRS and the FBI as part of a ransomware scam to take computer data hostage.
The IRS said: “The scam email uses the emblems of both the IRS and the Federal Bureau of Investigation. It tries to entice users to select a “here” link to download a fake FBI questionnaire. Instead, the link downloads a certain type of malware called ransomware that prevents users from accessing data stored on their device unless they pay money to the scammers.”
“This is a new twist on an old scheme,” said IRS Commissioner John Koskinen. “People should stay vigilant against email scams that try to impersonate the IRS and other agencies that try to lure you into clicking a link or opening an attachment. People with a tax issue won’t get their first contact from the IRS with a threatening email or phone call.”
I suggest you send employees, friends and family an email about this ransomware attack, feel free to copy/paste/edit:
“Heads-up! The IRS is warning against a new phishing scam that tries to make you download an FBI questionnaire. But if you click the link, your computer will be infected with ransomware instead. The scam email uses the emblems of both the IRS and the Federal Bureau of Investigation.
Remember that the IRS does not use email, text messages or social media to discuss personal tax issues, such as those involving bills or refunds. THINK BEFORE YOU CLICK!
The IRS stated: “Victims should not pay a ransom. Paying it further encourages the criminals, and frequently the scammers won’t provide the decryption key even after a ransom is paid. Victims should immediately report any ransomware attempt or attack to the FBI at the Internet Crime Complaint Center, www.IC3.gov. Forward any IRS-themed scams to firstname.lastname@example.org.”
Here is the official IRS Newsroom post : https://www.irs.gov/uac/newsroom/irs-issues-urgent-warning-to-beware-irs-fbi-themed-ransomware-scam
We have been reporting on this massive Cyberheist for a while now, but Fortune Magazine decided to unleash their investigative reporters and find out exactly who those two mysterious high-tech companies were that got snookered for a whopping 100 million dollars.
It is excellent ammo to send to C-level executives to illustrate the urgent need to train employees so they can recognize red flags related to spear phishing.
Here is how the Fortune story starts:
“When the Justice Department announced the arrest last month of a man who allegedly swindled more than $100 million from two U.S. tech giants, the news came wrapped in a mystery. The agency didn’t say who was robbed, and nor did it identify the Asian supplier the crook impersonated to pull off the scheme.
The mystery is now unraveled. A Fortune investigation, which involved interviews with sources close to law enforcement and other figures, has unearthed the identities of the three unnamed companies plus other details of the case.
The criminal case shows how scams involving email phishing and fake suppliers can victimize even the most sophisticated, tech-savvy corporations. But the crime also raises questions about why the companies have so far kept
silent and whether—as a former head of the Securities and Exchange Commission observes—it triggers an obligation to tell investors about what happened.
The Masssive Phishing Heist
In 2013, a 40-something Lithuanian named Evaldas Rimasauskas allegedly hatched an elaborate scheme to defraud U.S. tech companies. According to the Justice Department, he forged email addresses, invoices, and corporate stamps in
order to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business. The point was to trick companies into paying for computer supplies.
The scheme worked. Over a two-year span, the corporate imposter convinced accounting departments at the two tech companies to make transfers worth tens of millions of dollars. By the time the firms figured out what was going on, Rimasauskas had coaxed out over $100 million in payments, which he promptly stashed in bank accounts across Eastern Europe.”
Learn how to FIGHT Ransomware and stop being a victim!!!
Motherboard reported: “A quickly-spreading, world-wide ransomware outbreak has reportedly hit targets in Spain, France, Ukraine, Russia, and other countries.
Motherboard continued: “The attacks are similar to the recent WannaCry outbreak, and motherboard has seen several reports of infections shared by victims on Twitter. We were not able to immediately confirm the veracity of the reports, but several security researchers and firms also reported the attacks.
Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin.
“If you see this text, then your files are no longer accessible, because they are encrypted,” the text reads, according to one of the photos. “Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”
Raiu believes the ransomware strain is known as Petya or Petrwrap, a highly sophisticated Russian strain, without all the errors that WannaCry contained, and no kill-switch. According to a tweet from anti-virus company Avira, the Petya attacks were taking advantage of the EternalBlue exploit previously leaked by the group known as The Shadow Brokers
EternalBlue is the same exploit used in the WannaCry attacks; it takes advantage of a vulnerability in the SMB data-transfer protocol, and Microsoft has since patched the issue. However, whether customers apply that patch is another matter.
Security researchers from Kaspersky Lab reported that the ransomware hit Russia, Ukraine, Spain, France, among others. Several people on Twitter reported witnessing or hearing reports of the outbreak in their respective countries, and across a wide range of industries. Companies around the world also reported computer outages.
If You Have Not Done So Yet, Apply This Patch Immediately.
From what we have been able to learn, this new worm spreads through SMB jkust like WannaCry so when we’re talking about machines behind firewalls being impacted, it implies port 445 being open and at-risk hosts listening to inbound connections. It’d only take one machine behind the firewall to become infected to then put all other workstations and servers at risk due to it being a true worm.
In the meantime, harden yourselves against this Windows Network Share vulnerability and ensure that all systems are fully patched with the “MS17-010” security update (link below) and remind all staff to Think Before They Click when they receive any out of the ordinary emails. https://technet.microsoft.com/
Note, the patch is included in the Monthly Quality rollups. Also, block inbound connections on TCP Port 445
[UPDATE 6/27/2017] 1:40pm
“It is definitely using EternalBlue to spread,” says Fabian Wosar, a security researcher at the defense firm Emsisoft, which specializes in malware and ransomware. “I confirm, this is a WannaCry situation,” Matthieu Suiche, the founder of security firm Comae Technologies, wrote on Twitter.
Group-IB believes the attacks on Ukraine and Rosneft were simultaneous and coordinated. Kaspersky and Flashpoint think they’re observing signs of the Petya (a.k.a. Petrwrap) strain of ransomware in the attacks.
Other major infestations are reported by the Danish shipping concern A.P. Moller-Maersk, pharmaceutical company Merck (this in the US), Deutsche Post (its operations in Ukraine), and British ad agency WPP. More are sure to come.
The ransom note’s text has appeared in English, but Ukrainian authorities blame Russian hackers, especially since the attack coincides with tomorrow’s observance in Ukraine of Constitution Day. On this interpretation the attack’s spread is due either to the inherently difficult-to-control nature of malware, deliberate misdirection, or willingness to take such targets of opportunity as present themselves.
UPDATE 6/27/2017 2:13pm
We have not yet confirmed the initial infection vector for this new Petya variant. Previous variants were spread through e-mail, but we have not identified this latest sample carried in any e-mail related attacks.
This variant of Petya is spread as a DLL file, which must be executed by another process before it takes action on the system. Once executed, it overwrites the Master Boot Record and creates a scheduled task to reboot the system. Once the system reboots, the malware displays a ransom note which demands a payment of $300 in bitcoin.
Command and Control
Petya contains no Command and Control mechanisms that we know of. After a host is infected, there is no communication from the malware back to the attacker.
Petya may spread to other hosts directly using SMB or through the ETERNALBLUE exploitation tool.
Online reporter Doug Olenick at SC Media was the first to point to a press release from the NY State Department of Motor Vehicles warning about a phishing scam where New York drivers are being targeted, stating they have 48 hours to pay a fine or have their driver’s license revoked. This may happen in your state as well, so this is your heads-up.
The NY DMV alerted motorists that the scam is just bait to entice them to click on a “payment” link that will in turn infect their workstation with malware. The DMV does not know how many people have been affected, but Owen McShane, director of investigations at New York State DMV, said calls came in from New York City, Albany and Syracuse.
Olenick was able to get a bit more detail: “The malware being dropped came in two categories. The first simply placed a tracking tool on the victim’s computer to see what websites were visited; and the second, more nefarious, attempted to acquire a variety of personally identifiable information, such as names, Social Security numbers, date of birth and credit card information.”
There are several social engineering red flags that show the email is a scam. The supplied links lead to sites without an ny.gov URL, tied to the fact that the state would never make such a request. Here is how the phishing email reads:
The Department of Motor Vehicles does not send emails urging motorists to pay traffic tickets within 48 hours or lose your license,” said Terri Egan, DMV deputy executive commissioner, in a statement.
McShane noted that this scam is similar to one that hit the state about 18 months ago. The DMV, he said, is often used as bait in phishing attacks. Most previous attacks only lasted for 24 to 48 hours and this attack seems to have wrapped up too at this point, he added. This means that the bad guys may have moved on to other states with this attack, so…
I suggest you send employees, friends and family an email about this Scam Of The Week. Obviously, an end-user who was trained to spot social engineering red flags like this would have thought before they clicked.
DocuSign has admitted they were the victim of a data breach that has led to massive phishing attacks which used exfiltrated DocuSign information. Ouch. So here is your Scam Of The Week.
They discovered the data breach when on May 9, 15, and 17 DocuSign customers were being targeted with phishing campaigns. They now are advising customers to filter or delete any emails with subject lines like:
- Completed: [domain name] – “Wire transfer for recipient-name Document Ready for Signature”
- Completed [domain name/email address] – “Accounting Invoice [Number] Document Ready for Signature”
- Subject: “Legal acknowledgement for [recipient username] Document is Ready for Signature”
The campaigns all have Word docs as attachments, and use social engineering to trick users into activating Word’s macro feature which will download and install malware on the user’s workstation. DocuSign warned that highly likely there will be more campaigns in the future. Here is an example, these emails look very real:
I suggest you send the following to your employees, friends, and family. You’re welcome to copy, paste, and/or edit:
“Hackers have stolen the customer email database of DocuSign, the company that allows companies to electronically sign documents. These criminals are now sending phishing emails that look exactly like the real DocuSign ones, but they try to trick you into opening an attached Word file and click to enable editing.
But if you do that, malware may be installed on your workstation. So if you get emails that look like they come from DocuSign and have an attachment, be very careful. If there is any doubt, pick up the phone and verify before you electronically sign any DocuSign email. Remember: Think Before You Click.”
See How Sentree Systems, Corp. can Help!!