10Mar

Recognizing Elder Scams

March 10, 2021By 0 comment

People need to ensure that their elderly relatives are aware of scams that target older people, according to Emma McGowan at Avast. McGowan says it’s best to avoid being condescending, and to remain aware that your older relatives have more experience than you.

“First, talk with them about what to look out for and how to protect themselves,” McGowan says. “And here’s an important point of emphasis: You need to talk with them, not at them. Your older relatives have a whole lifetime of experience; a whole lifetime of making their own decisions and relying on their own judgement. It’s unlikely that they’re going to want to be lectured by someone who is 20 or 30 or even 50 years younger than they are. Think about this way: Would you want your niece or nephew to lecture you about the safety of a neighborhood that you’d lived in for longer than they’ve been alive? Of course not! And to the same token, your older relatives don’t want to be lectured about safety online.”

McGowan explains that there are ways to show your relatives how scammers can target them.

“So instead of lecturing, empower them to take care of themselves,” McGowan writes. “One way to start the conversation is by googling their names and showing them what’s publicly available online. This is a good way to visually illustrate to them how easy it is for scammers to get information about someone.”

One of the best ways to help people avoid falling for scams is to tell them to ask you for your opinion if they think something might be a scam. Many scams try to isolate their victims to prevent them from asking for a second opinion.

“You can also offer to be their sounding board if they think something might be a scam, with no judgement,” McGowan says. “Tell them they can share any email, direct message, pop-up — anything — and you’ll help them figure out if it’s legit or not. That way, you get to help your parent (or grandparent or aunt or uncle) and they get the bonus of more time spent with you.”

New-school security awareness training can help people learn to avoid scams on their own and teach their loved ones to recognize these tactics as well.

READ MORE
09Mar

The Good, the Bad, and the Ugly About MFA

March 9, 2021By 0 comment

I have been in computer security for over 34 years now. Yeah, even I cannot believe how long it has been. I have been a penetration tester over 20 of those years and worked on dozens of MFA and MFA hacking projects. But it was not until I developed a webinar for KnowBe4 called the 12 Ways to Hack MFA that I understood how many people were craving any information on MFA that they could find. It easily became my most requested webinar, and it still is. I taught it to hundreds of groups over the last two years, and I had standing-room only crowds at both Black Hat and RSA security conferences when they were available in person. I ended up writing an e-book on it for KnowBe4 and even helped to develop a quiz tool that mimicked my brain trying to hack your favorite MFA solution. Along the journey I learned about many more ways to hack various types of MFA. I ended up putting the over 50 ways anyone can hack MFA into a Wiley book called, Hacking Multifactor Authentication.

In the process of all that activity, writing, and testing, I have hacked or security reviewed over 150 MFA products. I have learned a lot. I have even learned new things I wish I had put in the book. I am going to share the most important facts that I have learned about MFA solutions over the last few years in my latest webinar on the subject, “Hacking Multifactor Authentication: An IT Pro’s Lessons Learned After Testing 150 MFA Solutions”. The first showing is March 10 th@ 2:00 PM ET. If you are interested in learning more about MFA, you should attend this webinar.

In the webinar, I start out by discussing all the different types of MFA, including some obscure ones that most people have probably never heard of. Then I discuss how the different types of MFA solutions can be hacked. I cover what the best types of MFA do to prevent attacks and I cover the MFA solutions that, I myself, would never use, if I didn’t have to. It is the good, the bad, and the ugly about MFA. I even tell you how you can pick the best MFA for yourself and your organization.

Let me share a few tidbits that I discuss in the webinar:

  • How your favorite MFA solution can be hacked
  • What is wrong with SMS-based MFA and why you should not use it, if you can avoid it
  • The good and bad about phone-based MFA
  • What makes one OTP MFA solution better than another
  • What MFA standards you should look for when choosing a solution
  • When you should run away from an MFA vendor

It also contains another video of uber hacker and KnowBe4’s chief hacking officer, Kevin Mitnick, bypassing a very popular web service’s MFA like it was not even there.

READ MORE
08Mar

Think Your Cyber Insurance is Going to Cover that $6 Million in Cyber Fraud? Think Again.

March 8, 2021By 0 comment

The latest tale of an organization falling victim to a business email compromise attack on their credit card processor highlights how very specific the scenario needs to be to see a payout.

In 2018, RealPage, a Texas-based service provider for property owners and property management companies was the victim of a cyber attack that took the company for $6 million. RealPage processed their credit card transactions through a third-party processor, Stripe. Stripe fell victim to an impersonation attack where cybercriminals gained control over a RealPage user’s credentials and convinced Stripe to modify the disbursement instructions to point to a bad guy-controlled bank account. In total, $10 million was sent to the fraudulent account, with $4 million recovered.

In recent court documents where RealPage sued their cyber insurer for non-payment under their cybercrime policy, it was determined that Stripe possessed the funds at the time the fraud was committed, with the policy essentially stating that the insurer will pay for loss of or damage to “money” … resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the “premises” or “banking premises. The court found this to mean RealPage is only covered if they themselves were the victim. But, because Stripe was the victim – despite the funds belonging to RealPage – the denial of a policy payout was upheld.

Many organizations believe that just because they have cyber insurance, they’re covered against any kind of attack. But more and more of these cases are finding their way into the headlines, making it clear that you need to be sure to read the fine print and establish the specific attack circumstances that are to be covered.

Beyond this, the least expensive form of action is to work to avoid becoming a victim in the first place. In the case of RealPage, it’s highly likely that the compromised credentials were obtained using a simple phishing attack that presented itself as needing the victim user to logon to their online email. Security Awareness Training helps to mitigate these kinds of attacks by educating users about cyber attacks, banking fraud schemes, phishing attacks, and social engineering tactics.

READ MORE
05Mar

[ALERT] New Stanford Research: 88% Of Data Breaches Are Caused By Human Error

March 5, 2021By 0 comment

A brand new report confirms what we have been saying for many years now. About 9 out 10 data breaches are caused by your users.

Researchers from Stanford University and a top cybersecurity organization found that approximately 88 percent of all data breaches are caused by an employee mistake. Human error is still very much the driving force behind an overwhelming majority of cybersecurity problems.

The study was done by  Stanford University Professor Jeff Hancock and security firm Tessian. The study “Psychology of Human Error” highlighted that employees are unwilling to admit to their mistakes if organizations judge them severely.

Understanding the psychology behind human errors helps organizations to know how to prevent mistakes before they turn into data leaks. According to the study, nearly 50% of the employees stated that they are “very” or “pretty” certain they have made an error at work that could have led to security issues to their company. The study goes into detail about the differences between young and older employees, where younger users will more easily admit to mistakes and are also easier to phish.

Other Findings include:
  • Nearly 45% of respondents cited distraction as the top reason for falling for a phishing scam.
  • 57% of remote workers admit they are more distracted when working from home.
  • The top reasons for clicking on phishing emails are the perceived legitimacy of the email (43%) and the fact that it appeared to have come from either a senior executive (41%) or a well-known brand (40%).

“Your employees are focused on the job you hired them to do and when faced with to-do lists, distractions, and pressure to get things done quickly, cognitive loads become overwhelming and mistakes can happen,” the study report concluded. Stepping users through new-school security awareness training is a must that you simply cannot afford not to do.

READ MORE
04Mar

Universal Health Services Becomes Next Victim of Ryuk Ransomware, Costing $67 Million

March 4, 2021By 0 comment

Fortune 500 hospital and health care service provider Universal Health Services (UHS) recently became victim to Ryuk ransomware in September 2020.

UHS released the following statement, “The substantial majority of the unfavorable impact was attributable to our acute care services and consisted primarily of lost operating income resulting from the related decrease in patient activity as well as increased revenue reserves recorded in connection with the associated billing delays,”

The hospital operations system and affected systems managed to be restored. The hospital has stated that normal operations have resumed.

Remember in October 2020 when the government warned of Ryuk ransomware targeting healthcare industries? The deadly ransomware group has already hit about 20 companies a week and have been the masterminds behind the big wave of attacks on the US healthcare system.

It’s important to make sure you frequently check your network’s effectiveness. New-school security awareness training can also help your users spot and report any suspicious activity in their day to day operations.

READ MORE
01Mar

Phishing Catch of the Day: Your Inbox Will be Deactivated

March 1, 2021By 0 comment

In this series, our security experts will give a behind the scenes look at phishing emails that were reported to PhishER, KnowBe4’s Security Orchestration, Automation and Response (SOAR) platform. We will go in-depth to show you real-world attacks and how you can forensically examine phishing emails quickly.

Each Phishing Catch of the Day will focus on a single phish attempt and describe:

  1. What context or pretexting exists between employee, hacker and email.
  2. What red flags one can look for before falling victim.
  3. What attack vector is being utilized and for what purpose.
  4. What steps to take to inoculate users from similar attacks.

The Initial Phish Breakdown

PhishER Reported Phishing Email

Figure 1: PhishER Screenshot of Reported Phishing Email

Early in the morning on Feb 11th, a Knowbe4 employee received an email that claims their inbox will be deactivated if they do not confirm their email address. The sender of this phish is hoping to generate an emotional reaction, causing a user to react without thinking.

Phishing Warning Signs and Red Flags

The best approach to consistently identify phishing is to simply ask oneself “Is this phishing?” whenever viewing an email or electronic message. The brain will naturally jump into a detective mindset and become resilient to emotional reaction.

Scroll up to the first screenshot, put on your detective cap, and try to find as many red flags as you can before continuing!

Red Flags for Phishing Email

Figure 2: Red flags found in the phishing email

Let’s gather more information from the headers of the email. Clicking on the Headers tab in PhishER will give you all headers pulled from the reported message in an easy-to-read format and highlights ip addresses and authentication information for you. Take a look at the Arc-Authentication-Results to figure out the original, non-spoofable, sender location.

Phishing Email Authentication Results PhishER

Figure 3: Arc-Authentication-Results from the Headers tab in PhishER

It appears that the email is coming from an Amazon SES server and the originating ip is 23.251.242.1. You may be able to reach out to Amazon and report abuse if necessary, especially if this is an ongoing problem from this specific address.

Phishing Attack Vector and Road to Compromise

Opening up the link found in the email, we see the landing page below.

Phishing Email Landing Page Example

Figure 4: Phishing email landing page

Notice the “NOPE” at the top and the fill-in for “nope@nope .com”. This is pulled from the ‘#’ anchor passed in to the page from the email URL. The page then uses javascript to style the form and add any icon found in Google images for the user’s email domain. This is to provide some familiarity to a victim and to imitate a generic login page that an individual might trust.

phishing email address pass-through

Figure 5: Anchor passed in from the URL in the email body

Upon entering their credentials, the page will run a js script to verify that the password and email fields are not empty and send the form contents to a remote server in Indonesia (which may explain why the email had been sent outside US business hours).

Phishing email js script

Figure 6: JS code to POST user entered credentials to a remote server

Phishing domain WHOIS results

Figure 7: WHOIS of the domain found in the POST request

Conclusions and Recommendations

The attack described above is a perfect example of credential phishing. This is a tactic where a hacker will route you to a landing page that imitates a popular or important browser application in hopes that, when you enter your username and password, they can pocket the credentials to use at a later date.

This attack can be particularly harmful to your organization because your end users are usually unaware that they have compromised their account! A malicious actor can utilize this access for weeks without detection because any activity looks to come from a legitimate account.

If you’re a KnowBe4 customer, you can find this phishing template under the IT Category on the KMSAT platform labeled, “IT: IT Support Email Shutdown (Link) (Spoofs Domain)”.

It’s important to ensure your users are staying alert of the latest attacks. Frequent phishing security tests and new-school security awareness training can help your users actively apply training techniques in their day-to-day job functions.

READ MORE
24Feb

Running Headfirst Into a Breach

February 24, 2021By 0 comment

The pandemic changed the fortunes of many organisations. Perhaps none so much as Zoom, which has found itself becoming a noun synonymous with any form of video call.

However, its meteoric rise has not been without some hiccups along the way. There have been many cases of people not securing their meetings, leading to many cases of ‘zoombombing’ in which unauthorised people join video calls with the intention of sharing lewd, obscene or otherwise distasteful content.

There was also the case of investors wanting to jump on the Zoom bandwagon who inadvertently purchased stock of Zoom Technologies, a small Chinese company which had nothing to do with Zoom, the video chat platform.

Errors and mistakes aside, criminals have also been quick to notice the trend and have been quick to capitalise by registering thousands of fake domains designed to impersonate Zoom and other video conference brands. They have also been using them to send out phishing links.

With the majority of office employees working remotely, receiving Zoom invites or even seeing reminders in their calendar for upcoming Zoom meetings has become a daily occurrence.

It is not just phishing via email that has taken off. People working from home usually have several communication channels they use to interact with colleagues, customers, partners and friends. These encompass everything from messaging apps to social media and everything in between.

Pulling on Emotions

Criminals are very good at crafting messages in a way that pulls on people’s emotions. This can be fear, greed, curiosity, urgency, helpfulness or any other emotion. One of the biggest reasons for this can be understood by Daniel Kahneman who stated in his book, “Thinking, Fast and Slow” that there are essentially two types of thinking the human brain undertakes.

System one is referred to as fast thinking and largely works automatically and effortlessly via shortcuts, impulses and intuition. It is fast, but also error prone. System two is also known as slow thinking. It takes time to analyse, reason, solve complex problems and requires people to exercise self-control. It is slow, but reliable.

A good criminal pulls on emotions because it is a surefire way to get people into system one thinking, where they will carry out an action before thinking about it.

Think about it. When was the last time you received a scam or phishing attack and the sender was polite and ended with, “please respond whenever is convenient, there’s no rush”?

It’s why an inflammatory Tweet or Facebook post receives so much attention and so many responses, even though we often know we should just ignore it. It just presses our emotional buttons and we need to say something.

So, it becomes difficult to reign people in — even the most security conscious people can be fooled by a WhatsApp message which pops up saying, “Why aren’t you in the meeting? We’re all waiting for you. Click here to join.”

Not a Theoretical Risk

The security industry has been guilty in the past of over-hyping issues. But social engineering threats are very real. If we look at the growth of ransomware over the years, it has become a huge criminal cash cow.

Most ransomware these days is delivered via phishing across multiple channels, hitting organisations across all industry verticals and of all sizes. Nearly a year ago, Travelex was hit by ransomware which resulted in the business being down for several weeks before they recovered. Unfortunately, its woes didn’t end there. With the pandemic hitting and many countries going into lockdown, the organisation didn’t get a chance to recover and went into administration later in the year.

Down under in Australia, the CEO of a hedge fund was tricked into clicking on a phishing email disguised as a Zoom invite. The click gave criminals access to the CEO’s email, which allowed them to send emails posing as the CEO authorising payments amounting to nearly $8m. And while the hedge fund was able to recover most of the money, the reputational damage was so severe that its main fund pulled out, forcing the hedge fund to shut down.

The fact of the matter is that social engineering attacks are only increasing and becoming the main thrust of cybercrime, which are having far greater impact on victim organisations.

Ways You Can Stay Safe

Staying safe against these attacks is increasingly difficult, not just from the increased sophistication of attacks, but the sheer volume of attack avenues that are available to criminals, ranging from email inboxes, social media accounts, chat apps, sms and phone calls.

  1. Security Awareness Training

    Security awareness training should be raised to all users from the most junior all the way to the most senior executives. The variety and impact of these attacks should be explained and mechanisms provided so that users can quickly and easily report any suspicious activity for the security team to investigate.

  2. Gain Visibility

    Security teams need to be able to obtain visibility into all of their organisation’s communication channels. For most organisations, too many channels are kept in the dark, so often by the time a breach is detected, it is too late.

  3. Real-Time Threat Detection

    All critical accounts, including marketing and executives, need to be monitored continuously for suspicious activity and messaging. In addition to scanning all files, attachments and links for malware, non-technical social engineering threats should also be sought out.

  4. Incident Response

    A layered response approach needs to be put in place so that any threats detected can be removed immediately.

READ MORE
23Feb

The First Documented Russian Hack in…1981?

February 23, 2021By 0 comment

I’m reading “Active Measures: The Secret History of Disinformation and Political Warfare” by Thomas Rid and wanted to share this story with you which was new to me! It’s warmly recommended, a great read.

In October 1981, in a highly embarrassing incident for the Kremlin, a large Soviet nuclear-armed submarine ran aground near Sweden’s Karlskrona Naval Base, violating Swedish Territorial waters.

To deflect some political heat, Russian intelligence launched an innovative active measures campaign that took advantage of a new semi-electronic messaging system called the Mailgram, an invention of Western Union.

All of a sudden, on November 8, 1981, a dozen Mailgrams started appearing across Washington, offering dirt on Swedish-American relations. They were sent to the Swedish Ambassador and several newspapers in the United States and Europe.

How was this hack possible?

A sender could phone in a message to Western Union, and they would transmit it electronically to a post office close to the recipient where the message would be printed out and delivered by mail.

Western Union did not independently confirm the recipient’s address or the telephone number to which the unauthenticated caller asked to bill the charges. “Obviously,” concluded the FBI, “the true senders of the Mailgrams were aware that they could have the charges billed to the addresses or telephone numbers of the alleged senders without verification. The setup was easy to exploit since the attackers spoofed false senders and had Western Union send the bill to the impersonated users!

My realization was that Russia has been at this for a very, very long time, and with the advent of the internet they have the ultimate tool to scale their active measures and cause massive international havoc.

READ MORE
22Feb

U.K. Phishing Attack Targets Those Seeking the COVID-19 Vaccine

February 22, 2021By 0 comment

This latest phishing scam impersonates the UK’s National Health Service, telling recipients that are eligible for the vaccine in order to collect valuable banking and credit card details.

I really despise these scammers. At a time when people are searching for a way to protect themselves, these lowlifes of the cybercriminal world prey on those in fear. This latest scam has recently hit the UK where unsuspecting victims were sent an official-looking email purporting to be from the UK government with a simple message – that the recipient has been selected for the vaccine.

Would-be victims who click the “Accept Invitation” link are taken to a legitimate-looking website that appears to be the NHS:

phishing-landing-page

Source: Bleeping Computer

Once victims again choose to accept the invitation, they are prompted to answer a series of questions that collect personal details including the victim’s name, their mother’s maiden name, address, and mobile number, as well as credit card and banking details.

While this scam feels like it’s targeting individuals, the very same scam is possible within your organization; all it takes is a little spin on the theming (e.g., make the email be from the HR department about a company-wide vaccination with a link to the rollout schedule that happens to attempt to collect Office 365 credentials) to be business-worthy.

Organizations need to take attacks that seem to target individuals over a corporation, as the shift in a campaign to steal corporate data only requires a few changes in how an attack like the one above is executed.

Putting users through Security Awareness Training is an effective way to help them protect themselves and the organization, regardless of how well-executed a phishing campaign is.

READ MORE
19Feb

Popular Car Company Becomes Next Target in $20 Million Dollar Ransomware Attack

February 19, 2021By 0 comment

In an unfortunate situation popular car company Kia Motors America recently made headlines of a possible ransomware attack and the company was demanded to pay $20 Million ransom from a cybercriminal gang in order to not leak stolen data.

It was reported by Bleeping Computer earlier this week that the car company suffered a major IT outage that affected all of their technology applications. A customer tweeted that they were told from a dealership that the outage is due to the ransomware attack.

The alleged ransomware group responsible for this attack was DoppelPaymer ransomware, a popular gang that steals unencrypted files before stealing the encrypted device. They also leak data on a site to further pressure the victim to pay the ransom. Below is a recent example of just that:

Source: Bleeping Computer

Kia Motors America released a statement with the following, “KMA is aware of IT outages involving internal, dealer and customer-facing systems, including UVO. We apologize for any inconvenience to our customers and are working to resolve the issue and restore normal business operations as quickly as possible.”

Make sure your organization is not the next victim of ransomware. New-school security awareness training can teach your users how to spot and report any suspicious activity.

READ MORE