Want Your Ransomed Files Back? Just Infect Someone Else!

A rather mind-blowing 70% of businesses hit by ransomware paid the hackers to regain access to hijacked systems and files, according to a new IBM X-Force Ransomware report. Of the attacked IBM-Security-Ransomware-Infographic_12-13-2016.jpg
businesses, 20 percent paid over $40,000 to decrypt their files, while more than half paid more than $10,000.

The IBM study [registration required], “Ransomware: How Consumers and Businesses Value Their Data” surveyed 600 business leaders and more than 1,000 consumers in the U.S. to determine the value placed on different types of data. 

Around 66% of the report’s respondents are generally worried about hackers compromising data, and almost 60 percent of business leaders said they would be willing to pay the ransom to regain access to financial records, intellectual property, business plans and consumer data, the report found. And depending on the datatype, they’re willing to pay between $20,000 and $50,000 to get their data back.

FBI: “Not A Good Idea To Pay Up”

Law enforcement agencies like the FBI say that it’s not a good idea to pay the ransom. But unlocking patient records in a healthcare site is crucial to keeping patients safe – so hospitals pay up big time.

IBM researchers determined financial returns on ransomware are expected to grow to over $1 billion for cybercriminals in the next year, which means these types of extortion attempts will continue to expand. Almost 40 percent of spam emails sent in 2016 contained ransomware, we expect that number to grow.

Small to medium businesses are less prepared for a ransomware attack than larger businesses. And medium to large organizations are more likely to have taken action in the last three months to protect data.

Further, 74 percent of large organizations require employees to regularly change passwords, versus 56 percent of small companies. And only 30 percent of small organizations offer IT security awareness training. OUCH.

“Cybercriminals have no boundaries when it comes to their targets,” Limor Kessem, executive security advisor for IBM Security, said in a statement. “The digitization of memories, financial information and trade secrets require a renewed vigilance to protect it from extortion schemes like ransomware.”

Ransomware attacks very often succeed through a phishing attack with a spoofed ‘From’ address. These types of attacks are hard to spot and employees tend to fall for them.

Can Your Domain Be Spoofed?

Can hackers spoof an email address of your own domain and get away with millions??

Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit “CEO Fraud”, penetrating your network is like taking candy from a baby.

Would you like to know if hackers can spoof your domain? Sentree Systems, Corp. can help you find out if this is the case with our free Domain Spoof Test. It’s quick, easy, and often a shocking discovery.

As the makers of recruiting platforms are happy to remind us, your social media self is extremely likely to be perused by recruiters who’ll either snap you up when they see the results or turn up their noses at, say, your posts about OMG how much you HATE your boss and hope he DIES!

According to one such vendor, as of 2013, 93% of recruiters were likely to look at a candidate’s social profile, and 42% had been moved to give the thumbs-up or -down based on what they turned up.

There have been various tools put forth that make it easier for employers to get at your “true” self.

(And before you protest that our social media selves are not, in fact, our “true” selves, I need to point out that researchers say otherwise. “Disagreeable” or “non-conscientious” people are, in fact, more likely to emit the unpleasant aroma of, say, bad-mouthing peers and employers on social media.)

Now, there’s another such tool to go beyond just plain old running a search on a candidate.

Called The Social Index, the online service promises to rifle through the digital footprints of short-listed job candidates and present employers or recruiters with a report.

That report is an infographic that, the company claims, maps out a candidate’s “personal brand.”

It crunches data from Facebook, Twitter and LinkedIn. According to a report from Mashable, The Job Index focuses on those three social platforms partly because they’re common, but also because, typically, they’re the ones most relevant to a company’s client activities or reputation.

It takes about 30 seconds for the candidate to be analyzed before their “social footprint” is ready. Within 24 hours the report will be delivered to both the client and the job seeker.

It’s a lot faster than slogging through Google searches for a name. Plus, as the founder of the Australian company, Fiona McLean, points out, when you rely on search engine results, you can’t even be sure the profile you’re looking at is for the right person.

As far as privacy goes, McLean points out that the system only looks at public information, and it doesn’t share people’s posts with companies.

If it’s not online, then a client can’t see it in the report.

The system maps out when, where, and how often people are posting. It also gives a timeline for your career, highlighting both the good – say, when you got promoted, or your average tenure – and the bad – say, unaccounted chunks of time that don’t reflect your being employed, or a brief average tenure that could point to a pattern of getting shown the curb after a few months.

Like Klout, it also shows how much of an influencer you are: How many connections you have on any given platform, for example. The system also does some sentiment analysis to show how positive your digital self is.

Employers will be able to tweak it to fit a given role. McLean gave the example of a job that requires a lot of social media interaction: if your profile shows that you don’t post much, that’s bad.

I worked with someone early on who was hiring for a social media role, and they were getting a lot of people who were saying ‘well I know social media, I do a lot of it,’ but the reality was they knew the theory of it but couldn’t demonstrate it.

…on the other hand, if you’re spending all day posting when social media interaction isn’t part of your gig, that’s pretty bad too, McLean said:

If the role is a back office accountant and they are equally on social media between 10 and 4, the chances are, they are not doing the core part of the role as well as they could.

But wait, isn’t it illegal to ask employees for their account logins? Illegal, as in, it’s against user policies to share your account passwords?

Back in June, we got wind of a service that offered to scour potential tenants’ social media profiles for landlords.

The service, called Tenant Assured, still hasn’t launched, but its plan is to provide detailed reports assessing rental applicants’ personality traits, creditworthiness and financial risk by directly accessing their Facebook, Twitter, LinkedIn and Instagram profiles, with the applicant’s consent.

Consent needs to be given for either of these social media-mining apps.

That still doesn’t answer the question, though: isn’t it illegal to demand workers’ passwords?

No, it’s not, at least in the US. As it is, a number of US states have tried to make it so, but the US House has declined to ban the practice.

At any rate, job candidates and tenants alike can decline to hand over access to their accounts.

But if apps like Tenant Assured and The Social Index become widely used, will we even have a choice? My way or the highway or, in this case, pry way or the highway!

Hand over access, or some day you could well find yourself being disregarded for an apartment or a job.

When it comes to The Social Index, the small mercy is that they’re only going after publicly posted data.

It’s yet another very good reason to clean up your past posts and to lock down your privacy.

To maintain privacy, use privacy controls. Millions of Facebook users are oblivious to, or just don’t use, privacy controls.

Don’t be one of them, and while you’re at it, don’t let your friends or family fall into that category.

To see who can find the things you’ve shared, you can use privacy shortcuts and Activity Log to review your personal trail of glory and misdeeds.

Go to Facebook’s Activity Log page for a list of your posts and activity, from today back to the dawn of your Facebook life.

There, you can find stories and photos you’ve been tagged in, Pages you’ve liked, friends you’ve added, your photos, and photos you’re tagged in that are shared with Public.

Besides photos we’re tagged in without our permission, most of the stuff that’s in our Graphs is up because we put it there.

To further clean up our Facebook personae, we can always remove a tag from a photo or post we’re tagged in.

As Facebook outlines here, you do that by hovering over the story, then clicking and selecting Report/Remove Tag from the drop-down menu. Then, remove the tag or ask the person who posted it to take it down.

Also, to further lock down your profile, take a gander at these three ways to better secure your Facebook account.


[contentblock id=92 img=gcb.png]


[contentblock id=72 img=gcb.png]

FSociety RansomwareTalk about adding insult to injury with this new KillDisk version. Here is how social engineering can cost you dearly.

The Sandworm cybercrime gang has upped its game. They were initially named after the Sandworm malware which targeted and sabotaged Industrial Control Systems and Supervisory Control And Data Acquisition (SCADA) industrial devices in America during 2014,

The Sandworm gang later evolved into the TeleBots gang, which developed the TeleBots backdoor trojan, and the KillDisk disk-wiping malware.

KillDisk was used in 2015 and 2016 when another gang, the Russian BlackEnergy cyber-espionage group, used the malware to attack and sabotage energy- mining- and media companies in the Ukraine. Bad guys have very active forums and they talk all the time so this probably how state-sponsored Russian hackers got their hands on KillDisk.

Until today, the KillDisk malware strain was only active in espionage and sabotage ops. Well, they are now moving in the ransomware racket with a bang: 222 Bitcoins ransom, which with the skyrocketing Bitcoin exchange rate is well over 200 grand. If you get hit with this and your backups fail, that gets very expensive.

The new KillDisk strain uses very robust encryption, giving each file its own AES key, and then encrypting the AES key with a public RSA-1028 key. These guys know what they are doing.

KillDisk was recently used against Ukrainian banks

Recent KillDisk attacks were against Ukrainian banks. These attacks infected bank workers with the TeleBots backdoor trojan via phishing attacks with malicious email attachments. TeleBots is an easy to recognize malware strain because it uses the Telegram protocol to communicate with its criminal owners.

Catalin Cimpanu at Bleepingcomputer said: “After collecting data from infected systems, such as passwords and important files, the TeleBots gang would deploy the KillDisk component, which deleted crucial system files, replaced files, and rewrote file extensions. The purpose was to make the computer unbootable and also hide the intruder’s tracks.

In the recent attacks against Ukrainian banks, the KillDisk malware had also been altered to use the Windows GDI (Graphics Device Interface) and draw a picture inspired by the Mr. Robot TV series, showing the logo of the FSociety hacktivism group, portrayed in the show.

At one point in the TV show, the FSociety group also infected the eCorp bank network with ransomware. The same is now true for the TeleBots gang, who added a ransomware component to KillDisk, as an alternative to disk-wiping operations.”

Why did they add a ransomware feature?

It’s easier to hide your tracks if KillDisk would pose as ransomware. You are basically talking a very profitable form of obfuscation.

The victim would assume they suffered an expensive ransomware infection, and wouldn’t scan for the TeleBots trojan or other data exfiltration code. Victims trying to avoid bad PR would restore from backup or pay the ransom and move on. Meanwhile, back at the ranch they would still be robbed blind.

According to malware researchers at CyberX, the KillDisk ransomware component shows the following message on infected computers and asks for a huge ransom demand of 222 Bitcoin, well over 200 grand.


KillDisk Ransomware

To unlock your files, you have to contact their customer support via an email and pay the ransom, and then receive your private RSA key that decrypts all your files.

The business model used here is not the spray-and-pray of the cheap ransomware. This gang goes for the high-end approach and demands a high price. Once you contact them through the email address, they will try to extort you threatening to dump sensitive files they stole via the TeleBots backdoor.


[contentblock id=74 img=gcb.png]


A 19-year-old UK teenager from Hertfordshire has pleaded guilty to creating and running the Titanium Stresser booter service, with which he launched 594 denial of service (DDoS) attacks.

According to a statement put out by the Bedfordshire Police, Adam Mudd developed the tool when he was just 15 years old.

He didn’t just use it to launch his own DDoS attacks. He also sold it online and ran it as a service, distributing it to cyber crooks.

Investigators are still working out the total amount Mudd made from the attacks, but their preliminary estimate is around $385,000.

Investigators determined that Mudd’s stressor – which is a tool used to flood networks with data, bogging them down until they’re dead in the water, non-functioning and vulnerable to compromise – was used in more than 1.7 million DDoS attacks worldwide.

Those attacks were launched against 181 IP addresses between December 2013 and March 2015, the month that Mudd was arrested and the service was shut down.

According to Silicon Angle, Mudd kept detailed logs of all the attacks that relied on Titanium Stressor.

In fact, it was, for a time, the most popular DDoS-for-hire service available online.

One of Mudd’s satisfied customers must have been the hacking group Lizard Squad. According to The Register, Mudd’s creation was the basis for Lizard Stresser, a DDoS tool marketed by the hacking group.

Remember Lizard Squad? They ruined Christmas 2014 with a DDoS directed at PlayStation and Xbox servers, timed to make sure nobody could play games during the holiday.

A spot of poetic justice was had when the Lizard Stresser service itself got hacked, spilling customer details on to the internet.

Interestingly, the very same thing happened recently to vDOS, one of the most disruptive attack-for-hire services on the internet.

vDOS was taken down in September, and its alleged co-owners were arrested following a “massive hack” on the site. Tens of thousands of customers’ details were spilled, along with the identities of its teenage owners.

Technically speaking, those who launch these DDoS attacks aren’t hackers, given how little technical skill is required.

All they have to do is harness the horsepower provided by botnets, as Sophos’s Mark Stockley noted at the time of the vDOS takedown. Those botnets contain tens of thousands of computers compromised by malware.

Perhaps not coincidentally, both security journalist Brian Krebs and DNS service provider DYN – both involved in the vDOS sting – were hit by massive DDoS attacks from the Mirai botnet.

As Brian Krebs has reported, Lizard Stresser relies on thousands of hacked home routers to launch DDoS attacks.

That’s not dissimilar to Mirai, which also uses poorly secured devices that aren’t laptops, desktops or servers.

As we noted at the time of the attack on Krebs, Mirai originated not from malicious bot or zombie software on regular computers, as might have been the case a few years ago, but from so-called Internet of Things (IoT) devices such as routers, web cameras and perhaps even printers.

You might not think of such humble devices as having enough brawn to do the damage that DDoSes have wrought, but string them all together, and they can be used to cause a world of hurt.

Mirai wasn’t well-coded. But it didn’t have to be scrupulously developed in order to be destructive.

To make it all that much worse, in the aftermath of the assault on Krebs, the source code of the malware used in the attack was open-sourced.

But back to Mudd: he pleaded guilty to two offenses under the Computer Misuse Act and another of money laundering under the Proceeds of Crime Act. He’s due to be sentenced in December.

We don’t yet know how much prison time Mudd may be facing, but Silicon Angle reports that the judge who accepted his guilty plea noted that “a spell in a youth offenders institution will be considered”.

[contentblock id=92 img=gcb.png]


[contentblock id=72 img=gcb.png]

A couple of weeks ago, a yet unknown attacker hacked the computer systems of the San Francisco’s Municipal railway causing a free ride for all that Saturday.  The ransomware hacker was hacked back, and intrepid reporter Brian Krebs was contacted by the anonymous counter-hacker who took over the email account that was reported in the ransom note provided in the attack: “Contact for key (cryptom27@yandex.com)”

The ransom demanded from the San Francisco Municipal Transportation Agency (SFMTA) was 100 BTC, or $73,184 USD with current exchange rates.


The security researcher who hacked back the Muni hacker broke into the email account by correctly guessing the security question protecting it, and then resetting the password and locking down the account including the secondary address which was cryptom2016@yandex.com.

“On Monday, KrebsOnSecurity was contacted by a security researcher who said he hacked this very same cryptom27@yandex.com inbox after reading a news article about the SFMTA incident. The researcher, who has asked to remain anonymous, said he compromised the extortionist’s inbox by guessing the answer to his secret question, which then allowed him to reset the attacker’s email password.” wrote Krebs. “A screen shot of the user profile page for cryptom27@yandex.com shows that it was tied to a backup email address, cryptom2016@yandex.com, which also was protected by the same secret question and answer.”

The analysis of the Bitcoin wallets used by the Muni hacker revealed that he earned $140,000 in the last three months. In this period he used to continuously switch Bitcoin wallets randomly every few days or weeks to thwart investigations. Most of the attempts of extortion targeted US-based construction and manufacturing companies, and in many cases, the victims appear to have complied with the demands.

“On Nov. 20, hacked emails show that he successfully extorted 63 bitcoins (~$45,000) from a U.S.-based manufacturing firm.” added Krebs. ““Emails from the attacker’s inbox indicate some victims managed to negotiate a lesser ransom. China Construction of America Inc., for example, paid 24 Bitcoins (~$17,500) on Sunday, Nov. 27 to decrypt some 60 servers infected with the same ransomware — after successfully haggling the attacker down from his original demand of 40 Bitcoins. Other construction firms apparently infected by ransomware attacks from this criminal include King of Prussia, Pa. based Irwin & Leighton; CDM Smith Inc. in Boston; Indianapolis-based Skillman; and the Rudolph Libbe Group, a construction consulting firm based in Walbridge, Ohio.””

The experts discovered that the server was used to hack into systems worldwide, it was hosting several open-source hacking tools, and that the Muni hacker used internet addresses based in Iran, they found also some notes which were translated into Farsi.

What to do about it

Brian Krebs wrote: “The data leaked from this one actor shows how successful and lucrative ransomware attacks can be, and how often victims pay up. For its part, the SFMTA said it never considered paying the ransom.” 

You need off-site backups that cannot be compromised, but some instances of ransomware can lock cloud-based backups when systems are configured to continuously back up in real-time.  For more tips on how to avoid becoming the next ransomware victim, check out the FBI’s most recent advisory on ransomware.

Krebs ended with: “Finally, as I hope this story shows, truthfully answering secret questions is a surefire way to get your online account hacked. Personally, I try to avoid using vital services that allow someone to reset my password if they can guess the answers to my secret questions. But in some cases — as with United Airlines’s atrocious new password system— answering secret questions is unavoidable. In cases where I’m allowed to type in the answer, I always choose a gibberish or completely unrelated answer that only I will know and that cannot be unearthed using social media or random guessing.”

That is an excellent piece of advice, and part of new-school security awareness training which all users should be stepped through as soon as possible, followed up by frequent simulated phishing attacks. Start with a free Phishing Security Test, and phish your users to see how many click. Often an unpleasant surprise but a great catalyst to get buy-in and fast budget:

Get Your Free PST Now

© KnowBe4, Inc. All rights reserved. | Privacy Policy & Terms Of Service | Security


[contentblock id=74 img=gcb.png]



In the September/ October timeframe this year it became clear that Yahoo had lost more than 500 million records which was the biggest hack of the year. Who knew that they would top themselves just a few months later!

Yahoo just stated today that a separate incident has exposed at least a billion more user accounts. They also warned that attackers figured out a way  to log into targeted Yahoo accounts with forged authentication cookies without having to supply the victim’s password.

How can this get any worse….   It’s a Massive Epic Fail. Here is the updated graph from the Wall Street Journal on the size of this monstrous hack.


“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts,” Yahoo’s chief information security officer Bob Lord said in a statement the company published Wednesday afternoon. “We have not been able to identify the intrusion associated with this theft.”

Yahoo said they were  in the process of notifying the affected account holders, and that they have invalidated the forged cookies.  “We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” Lord said.

Blaming it on the Russian Government in this case is a cop-out. These are high level criminal hackers that simply get air cover from Putin but are not on his payroll.

At this point, Yahoo has fallen down on security in so many ways that I have to recommend that if you have an active Yahoo email account, either direct with Yahoo or via a partner like AT&T, get rid of it. But clean it out first, get rid of all the folders, delete the account and open a gmail account instead. Check if you have used your Yahoo password in other sites, and change the password and security questions for those accounts. And remember, never reuse your email password (or any other password tied to an account that holds sensitive data about you) at any other site.

If you used a mobile phone number in association with your Yahoo! account, and you still use that mobile phone number, then SMS phishing (a.k.a. Smishing) is now a distinct possibility, so be be very wary of Smishes.

Thanks Verizon, for your interest in Yahoo and the due diligence that followed. I would recommend to not pursue this course of action though.



Lynda.com, the online learning unit of LinkedIn, has reset passwords for some of its users after it discovered recently that an unauthorized external party had accessed a database containing user data.

The passwords of close to 55,000 affected users were reset as a precautionary measure and they have been notified of the issue, LinkedIn said in a statement over the weekend.

The professional network is also notifying about 9.5 million Lynda.com users who “had learner data, but no protected password information,” in the breached database. “We have no evidence that any of this data has been made publicly available and we have taken additional steps to secure Lynda.com accounts,” according to the statement. Here is the email that was sent:

“We recently became aware that an unauthorized third party breached a database that included some of your Lynda.com learning data, such as contact information and courses viewed. We are informing you of this issue out of an abundance of caution.

Please know that we have no evidence that this data included your password. And while we have no evidence that your specific account was accessed or that any data has been made publicly available, we wanted to notify you as a precautionary measure.

If you have questions, we encourage you to contact us through our Support Center.

The Lynda.com team

Lynda.com was acquired a little while ago by LinkedIn for US$1.5 billion in a cash and stock deal. And then LinkedIn was in turn acquired by Microsoft this month for the all-cash transaction worth US$26.2 billion.

The breach at Lynda.com comes a little after Yahoo said last week that data relating to over a whopping 1 billion user accounts had been stolen in 2013. This is the second big breach reported by Yahoo, with the other affecting at least 500 million users.

Graham Cluley, who is more or less the Indiana Jones of insecurity reporting, wondered whether this is a hack in the traditional sense, whatever that means anymore, or whether it is based on the findings of a security researcher who uncovered a vulnerability and harvested it.

He’s also a bit miffed that the Lynda website isn’t making a big deal about the problem. This kind of obvious ignoring of hacks is a bugbear of his, which perhaps explains the big dig he gives LinkedIn at the end.

“The wording of the email is a little odd, and makes me wonder whether this was a traditional hack’ or more a case of a security researcher stumbling across a user database on a server that shouldn’t have been publicly accessible, or found a vulnerability that allowed them to access user information,” he said.

“Disappointingly, I was unable to find any reference to the data breach on the Lynda.com website. I always think breached sites should post an online notice so users can confirm the incident, rather than blindly trust an email received in their inbox. Regular readers will recall that LinkedIn is no stranger to database breaches”.

Phishing attacks have long been associated with malicious emails that spoof well-known institutions in order to trick users into coughing up credentials to banks accounts, email accounts, or accounts for major online services. Phishes that exploit the good name of trusted brands familiar to users have also been known to deliver ransomware, backdoors, and other malicious software designed to compromise the companies and organizations those users work for.

Spoofing well known institutions and brand names is old hat, though, and users have become increasingly wary of emails claiming to hail from familiar companies and organizations. In response, the bad guys have been refining their use of social engineering, the key to any successful phishing campaign.

This week we saw the latest evolution in the use of social engineering hooks designed to lure unsuspecting employees into downloading and executing highly malicious software inside corporate networks.
Making the Extraordinary Seem Everyday

Over the past two years malicious actors have increasingly resorted to simpler, less flashy social engineering schemes designed not to raise eyebrows to but to capitalize on users’ ingrained habit to click through attachments or links that give every appearance of being just more of the same dreary, business-related email content that fills their inboxes on a daily basis.

Thus, most of the major email-driven ransomware campaigns that we’ve seen over the past 6-9 months have been landing in users’ inboxes under the pretense of dealing with invoices, P.O.s, IT-related messaging, and other ordinary business documents and topics, some of them very industry-specific. The social engineering hooks in such phishes are noteworthy only for just how unspectacular they initially appear. A few recent examples:

  • Attached is the initial CD for my client (based on preliminary fees that you sent over). Can you please advise on revised/added fees (tax prorations, HOA dues, etc)?
  • You are going to be billed USD 3,881.74 on your Mastercard balance soon. Take a look at the attachment for information.
  • Your car loan is approved.
  • Charge attached.
  • Your order was completed in accordance with the agreement. Please see attached detailed estimates for each agreement article.
  • We need your signature on this before we can settle.
  • Please find attached the fully executed contract.
  • Our HR Department told us they haven’t received the receipt you’d promised to send them. Fines may apply from the third party. We are sending you the details in the attachment.

Such social engineering hooks are intended to provoke unthinking, habitual clicks from users inured to the avalanche of email that hits their inboxes day in and day out. Most are short — some less than five words — just like the majority of legitimate daily business email communication.

But even these cleverly designed phishes share a common problem: they are cold contacts, forcing users to refocus their attention on a new problem, a process that could raise their levels of awareness and alert them to something amiss. And, indeed, phishing emails are all by their very nature cold contacts.

But what if the bad guys could create the illusion of an on-going email discussion thread among office colleagues — the kind of cozy, familiar situation in which few users would ever expect to be phished? In fact, that’s just what we saw this week.

Starting from the Middle of Things

Over the past two days a number of our customers have reported receiving large numbers of a rather interesting phishing email.

There are a couple of things to note about this email.

First, the email appears to be a conversation between two different employees — one using a generic accounting email address within the company (whose name we’ve redacted) and a second being an individual employee named Sam. In fact, this entire email originated from outside the company being targeted. It is, in reality, a spoofed email thread.

Second, this is a targeted attack. The one named employee is real and the email address contained in the hyperlinked version of his name (only partially visible in the screenshot above) is that employee’s actual email. Moreover, the visible link points to the company’s own domain (while the actual underlying link, revealed by hovering the mouse, points to a Vietnamese domain). The bad guys obviously researched their targets before phishing them in order to create a credible, spoofed email thread purportedly involving real employees likely familiar to other users within the company.

Third, the social engineering hook involves an apparently innocuous request from a fellow employee. Who in a modern office environment hasn’t encountered printer problems? Moreover, the link being dangled in front of users appears to offer access to personally sensitive information — something that could prove irresistible to some people.

In short, this phish is a cleverly manufactured ruse designed to give users the impression that they have been mysteriously dropped into the middle of an ongoing discussion involving a document with personally sensitive information about another colleague working in the same office.

Just like any other phish, it’s a cold contact. But it doesn’t feel like one.

Things Get Real

Employees who click the link will find themselves downloading a malicious Word document that opens to a slickly designed macro warning screen offering the kind of “helpful” instructions that are now a staple among phishing campaigns pushing malicious Office macros:

Users curious enough to follow the directions in that initial screen and enable macros will be kicking off a trojan downloader that pulls down a malicious .EXE from a domain registered just three days ago. That .EXE is then dropped in two locations: the ProgramData and UsersAll Users folders.

After a reboot seven more files (all without file extensions) are added to those locations and a dodgy .DLL (probably extracted from one of those extension-less files) is automatically loaded by an instance of rundll32.exe.

The .DLL in question is, reportedly, a variant of Fareit — a sophisticated password-stealing tool that scowers compromised PCs for all manner of exploitable data and exfiltrates that data to malicious actors. On our test PC Sysinternals’ TCPView revealed that the .DLL in question had established a connection with a site in Russia — almost never a good sign — on a port often left wide-open in corporate firewalls:


This phishing attack was undoubtedly the initial phase of a more extensive campaign to compromise the networks of targeted companies and exploit the resulting holes for monetary gain.

Helping Users Get Real

As noted earlier, we saw a large number of these malicious emails get reported to us by the employees of customers who have the Phish Alert Button (PAB) installed. Even though this attack used a rather unique social engineering hook, users who had been through KnowBe4’s new school security awareness training nonetheless smelled a rat and clicked the appropriate button in Outlook, effectively notifying their own IT departments as well as KnowBe4.

This is exactly the kind of response you need from users when something as dangerous as Fareit sails right past all the rest of your security solutions and ends up lurking in your users’ inboxes, tempting them to make one bad click and, in so doing, potentially bring the company down around their ears.

Too many users are taking the bait and clicking all the way through these ransomware traps. It’s time to educate your users with new-school security awareness training and stop the madness.


By Eric Howes, KnowBe4 Principal Lab Researcher.


[contentblock id=72 img=gcb.png]



Two of the big cybersecurity attacks are the CEO Fraud (aka Business Email Compromise) which has caused $3.4 billion in damages as well as the W-2 Scams which social engineer Accounting/HR to send tax forms. Both attacks have your employees engaging and replying with the bad guys. To help inoculate employees against this type of attack we are launching a new feature: Phishing Reply Tracking (*).

KnowBe4’s new Phishing Reply Tracking allows you to track if a user replies to a simulated phishing email and can also capture the information in the reply for review within your KnowBe4 admin console. Knowing if users are replying to phishing emails and what they are replying with is an excellent way to make sure users are following the best practices for dealing with phishing emails.

We have created a new category of system phishing templates called “Reply-To Online” which are specifically designed to test whether users will interact with “the bad guys” on the other end. However, the Phishing Reply Tracking also works with any of our existing 500+ phishing templates.

Additional options for this feature include:

  • Store the reply-to content.
  • Customizable reply-to address sub-domain, making the reply-to address look similar to your actual domain.
  • Track out of office replies to find out if your users are including company directories and other information with their OOF messages.

© KnowBe4, Inc. All rights reserved. | Privacy Policy & Terms Of Service | Security


[contentblock id=72 img=gcb.png]

Larry Abrams just reported: “Yesterday a new in-development ransomware was discovered by MalwareHunterTeam called Popcorn Time that intends to give victim’s a very unusual, and criminal, way of getting a free decryption key for their files.  With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key.

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!


Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282