Phishing Still Works

CSO Magazine has a great piece on social engineering/phishing scams.  The article quotes both vendors that we resell – Wombat and KnowBe4.

Bottom line – the Verizon 2016 data breach report says that 30 percent of the phishing emails were opened compared to 23 percent last year.  12 percent clicked on the link.

If 12 percent of the folks in your company clicked on a malicious link, YOU. ARE. TOAST!

Stu Sjouwerman, CEO and Founder of KnowBe4, an anti-phishing and security education provider says that “a handful of competing cyber mafias are casting their nets wider and wider.”  What this means is that the bad guys have launched an all out assault and situations like the ones that I wrote about the last two days – one company closed its doors, the other lost north of $40 million  – are likely the tip of the iceberg.

One cyber mafia alone netted close to $100 million during the first half of 2016.  That’s a pretty good incentive to hack since it is all tax free.

McAfee recorded 1.3 million new ransomware samples in the first half of this year.

The most commonly successful phishes?

  1. It looked official. – Wombat, a competitor to KnowBe4, says that users are better at detecting personal phishing attacks but do poorly with work related ones.  I guess that is how the hack of Leoni worked.  Send an email from the CFO to accounting, asking them to wire $40 mil to the Czech Republic and DONE!
  2. You missed a voicemail.  Attachments that are designed to look like voicemail messages get people to click,.  And get their computers infected.  You click on it and they own your computer.
  3. Free stuff. People cannot resist free stuff.  Even stuff that they down’t want and won’t use.  if it is free, they want it.  Of course the hackers attach an extra prize to the free stuff.  Once that piece of malware is installed after you click, things won’t seem so free any more.
  4. Fake social media invitations.  LinkedIn, Facebook.  Whatever.  If YOU don’t have a FB or LI account then a scammer can create one using your name.  Then invite your friends.  Or maybe the fake account belongs to the CEO.  Who wouldn’t accept his invitation.  Now they can steal your information or get you to click on a malicious link.
  5. Social Media at Work.  If your company allows you to use twitter, etc.  Wombat says that employees missed an average of 31 percent of the social media question on their tests.  Since most organizations allow employees to use social media at work but a third of the time users cannot detect malicious activities, what does that say about keeping the bad guys out?

Part of it is that the bad guys are getting better.  Much better.  I look at some of the malware and it is very impressive.

What is an organization to do?

If you are not actively phishing your employees on a regular basis (at least once a month, if not more) with very realistic phishing emails, you are missing a training opportunity.  And the cost is very reasonable.  Contact us for details.

Information for this post came from CSO Magazine.

Facebooktwitterredditlinkedinmailby feather

Leoni AG Lost $44 Million to CEO Fraud

Leoni makes cables and wiring harnesses for cars, trucks, healthcare systems, appliances and many other products.   They operate worldwide, are publicly traded, have 75,000 employees and in 2015 had sales of over 4 billion euros.  You would think that a company like this would not fall for a business email compromise scam.  But they did.

CEO fraud, AKA Business Email Compromise (BEC) , cost Leoni AG almost 40 million euros to the scammers.  BEC is a huge problem with the FBI saying that it is costing companies worldwide over $2 billion during the last several years.

The scammers had done their homework.  They targeted a subsidiary of the company in Romania.  It turns out Leoni has four factories in Romania, but only one of them is authorized to send wires.  They targeted that one.

They sent an email that looked like it came from the CFO in Germany.

People inside the company said that it was common to send money that way.  Even large amounts of money.  40 million Euros later they hopefully are reconsidering that strategy.

I continue to be amazed that large companies – Leoni has revenues of over $4 Billion Euros – authorize wires via email.  And then they are surprised that they are taken to the cleaners for almost $45 million.

The company’s press release said hackers used falsified documents and identities and electronic communications channels to perpetrate the scam.  This means that they pretended to be the CFO and sent an email requesting the wire transfers.

The good news is that 40 million Euros, while substantial, will not cause the company to go under.  Their profit before taxes in 2015 was around 150 million euros.

Unfortunately, for many companies that fall victim to a business email compromise attack, that isn’t the case.  In some cases, the attack has a very significant financial impact on the business.  I wrote about a company yesterday that went out of business as a result.

This incident makes me ask some questions.  Consider what the answers for your company are.

  1. Can someone send an email, pretending to be, say, the CEO or CFO, to someone in accounting asking to wire some money to some random bank account in a foreign country and no one says anything about it BEFORE sending the payment?
  2. Is there a policy that dictates how employees are supposed to handle requests for payments made via email?  For example, is there a validation process?  Does the request require approval?  Is there a dollar value threshold above which extra authorization is required (such as $40 million)?  What about if the sender says that this is a super-secret hush-hush deal?
  3. Does your company attempt to phish its employees as part of its training program?  If so, how often is that done?  HINT:  Doing it once a year as part of the review of corporate HR policies probably won’t have much of a positive effect.
  4. Does your insurance cover this loss?  Typically cyber insurance does not cover it, nor does general liability.  Since the employees voluntarily sent the money, it is not covered by forgery coverage.  Some insurers are creating a social engineering coverage to address this.  To be sure that you are covered, ask in writing and make sure that the amount of coverage is adequate.

This is a significant business problem that can only be addressed by training people.  This is not a technology problem.  And since it is so profitable, it is not going away any time soon.


Information for this post came from Leoni’s press release on the issue.

Facebooktwitterredditlinkedinmailby feather

News Bites – Appalachin Healthcare, Business Email Compromise and NITs

ITEM 1:  As I wrote about a couple of weeks ago, Appalachian Regional Healthcare was attacked with some form of malware, forcing them to shut down every single computer in every hospital that they run.  Finally, after twenty days, the hospital chain says that things are back to normal.

Appalachian says that they do not believe data was compromised, but they have not released any details about what happened, so we do not know if data was not compromised or if that is just wishful thinking.  The hospital chain operates 11 hospitals in Kentucky and West Virginia.

During those almost three weeks, employees were forced to write down instructions on paper, ambulances were redirected, in some cases, to other hospitals and doctors told their patients to bring their medications to office visits so that the doctors would know what the patients were taking.

Is your company ready for a twenty day outage like this?

ITEM 2: A small investment fund, Tillage Commodities was the victim of a Business Email Compromise that played the company that they hired to protect their investor’s money for a fool.

Not only did the management company that Tillage hired not follow its own rules, but when the wires that they sent to China, supposedly at the request of Tillage, but in reality at the request of hackers, failed, they fixed them for the hackers.

Tillage closed their doors – an unfortunately too common occurrence after these email scams and are suing the management firm, SS&C Technology, to recover their investor’s money.

Tillage hired SS&C because, as a small firm, they didn’t think they had the needed controls to avoid things like this.  Instead, by trying to do the right thing, they got put out of business by a lack of employee training and policy execution.

Reading the details, SS&C appears to have completely screwed up and if they are smart, they will settle quickly to make this go away – before other customers become rattled that they will do this to them and not stand behind their mistake.  As it is, they probably have already sustained some damage.

ITEM 3: The FBI has a kinder, gentler term for hacking into your computer and it is called a Network Investigative Technique or NIT.  Different courts have held differently as to whether the FBI hacks are searches and I suspect this will go on for a while until the Supremes figure it out.

In the case in question, the FBI Hacked – oh, wait, NITted – thousands of computers to figure out who was accessing a web site that contained illegal images.

A court in Texas says that yes, causing a web server to install unauthorized software on someone’s – or many someones’ – computers is a search and does require a warrant.

One judge went so far as to say that users who used the TOR network – who’s only purpose is to create a small degree of privacy for the user – had no expectation of privacy and hence the FBI didn’t need a warrant.

The Supremes recently granted the FBI’s request to allow a single judge of the FBI’s choosing, anywhere in the country, to issue a warrant to allow the FBI to hack into an unlimited number of computers anywhere in the world.  Assuming Congress doesn’t pass a law in the next 60 days rolling back the Supremes’ action, which it likely will not do, this will become the law on December 1.  If the new rule 41(b) does go into effect then the FBI will likely get into the hacking business in an even bigger way than it is already.


Information for the Appalachian news came from Information Management.

Information for the Tillage news item came from CSO.

Information for the FBI news item came from Techdirt.

Facebooktwitterredditlinkedinmailby feather

Follow On To Last Week’s Posts On Patching And CERT Alert

As a follow on to last week’s posts on why patching is critical and the CERT alert on The Shadow Broker’s release of a whole raft of firewall hacks, this week Cisco is announcing that their software is vulnerable to attack, there is no workaround and they are working on patches.  BUT, there is a silver lining.

First, the problem.  There is a bug in their implementation of the IKE key exchange protocol that is used by their VPN access routines.

Now the good news.

  • The bug affects IOS XR versions 4.3.x to 5.2.x, but releases 5.3 x and newer are not affected
  • The bug also affects PIX firewalls version 6.x and prior, but versions 7.0 and later are not affected.

IOS XR 5.3 was released last January.

Cisco PIX has reached end of life status and is not supported anymore.

So first, we are already seeing fallout from the Shadow Broker release and Cisco, at least, is starting to issue patches.

Second, if you are being good about patches and not running obsolete software,  at least in this case, you would not be vulnerable to this particular exploit.

This just reinforces my comment from last week to be religious about patching.  It is critical.

Information for this post came from Network World.

For a complete list of all software affected, read the Cisco announcement here.


Facebooktwitterredditlinkedinmailby feather

Web Sites Store Passwords Unencrypted

ClixSense, a company that pays users to look at ads and fill in surveys was hacked last week.  The hackers dumped 2 million “samples” on Pastebin to advertise the sale and security researchers say that the data appears to be real.

In total, there are over 6 million records “available”.  Information that is in the dump that is available for sale includes usernames and email addresses and UNENCRYPTED passwords.  Also in the dump is your address, date of birth, social security number, security questions and answers, tens of thousands of emails that had been sent back and forth to the site and all of the source code for the site.

To say that they had been totally hacked seems like an understatement.

And, unlike some of the other data that recently has come up for sale (like the LinkedIn breach from 2012 that just appeared), this data was current as of last month.  Although, most people’s date of birth and social don’t change that often, so even old data is valuable.

A couple of things here.

Apparently, the hacker was not trying to keep the fact that he had hacker ClilxSense a secret after he stole all that information because he redirected their Web Site to a gay porn site.  That probably wasn’t Jim Grago’s (the owner) best day when he received a phone call at 5 AM to let him know that clients going to his web site were being redirected to a gay porn site.

So why is this breach important?

  • Well first, do you have a written and tested plan to deal with the scenario where a hacker breaks into your DNS server and repoints your web site to a porn site after locking you out, effectively stopping you from undoing it and even stopping you from taking the site down?  It took ClixSense all day to do shut it down and more days to recover from the event.
  • Second, do you have a crisis communications plan to tell your customers what is happening – understanding that you no longer have access to your web site or your email server?

My guess is for most companies, the answer to both of these questions is no.

My next question goes out to their customers.  Why would you share your Social with a site that will pay you a few bucks a year to watch ads?  JUST. DON’T. DO. IT!  If they don’t have it, they can’t leak it.

Finally, my last question goes to the [expletive] who decided that storing millions of passwords unencrypted was a good idea.  HE should be fired and that seems like just cause for a lawsuit.

The problem that you and I have as consumers is that we don’t know which sites that we share information with have good cyber security practices.  We think that Google or Facebook probably have good practices (at least I think they probably do), but how do we know.  We think the data that we share is safe, but again, we don’t really know.  The best answer is to not share sensitive data unless we have a good reason to and we also have a good reason to believe they are storing that information securely.

But just so that Jim Grago can cry in his beer with some company, his is not the company to fail the safe password storage test.

After spending less than 5 minutes on Google, I found:

In October 2015, a researcher found 13 million unencrypted passwords from free hosting provider 000Webhost on the dark web.  The hosting service confirmed they were breached.

ISP Frontier Communications uses a system called Shawn to secure your passwords.  If you forget your password, you call them and Shawn will look it up and tell you what it is. Obviously, it is stored in a manner where Shawn (and probably a bunch of other employees and, of course, a hacker) can see it unencrypted.

In November 2013, the dating site Cupid Media admitted that 42 million unencrypted passwords were real, theirs and likely stolen almost a year earlier.

One more thing, I keep harping on using different passwords for different sites.  In the case of ClixSense, we do not know how long the hacker had access to those passwords before he got that evil grin on his face and pointed their web site to a gay porn site.  Maybe it was a day.  Maybe a year.  If you assume that the hacker had access to your name, email and unencrypted password for even a month and you reused that password on other important sites, how much damage could that hacker do to you.  The problem is that no site is really safe from a hack, so don’t reuse passwords if you can avoid it.  At least that way, you can contain the damage somewhat.

For web site owners, first salt and then encrypt your passwords.  P-L-E-A-S-E!!!


For information on the ClixSense hack see the article on Ars Technica, here.

For information on the 000WebHost hack, see this article on Ars Technica, here.

For information on the Frontier Communications password reset fiasco, see this Ars Technica article, here.

Facebooktwitterredditlinkedinmailby feather

Patching Is Critical

This week, Microsoft released it’s September patch dump.  14 security bulletins.  50 vulnerabilities in Windows.  26 more vulnerabilities in Flash player that was bundled with the Edge browser.  The patches affect Internet Explorer, Microsoft Edge, Microsoft Office, OLE Automation, VB Scripting and Flash, among others.

Other Microsoft products patched include Silverlight and Exchange server.

The Exchange server updates patch a hole in Oracle technology called Oracle Outside in Technology.  Cisco found these bugs a few months ago and Oracle released patches for them in July, but Microsoft just released it’s incarnation of the fixes this week.  The Oracle OIT bugs, apparently, affect a lot of vendors who have integrated that product into their solutions.

This is just one set of patches released this week.

Another big patch dump this week came from Adobe.  Adobe patched more than 30 flaws in it’s products including 26 in Flash that Affect Windows, Mac and Linux.  23 of those bugs would allow an attacker to execute arbitrary code on a user’s computer, remotely.

At least some of the bugs will require developers to recompile their programs with the new Adobe code, so there will be trickle down effects over the next several months, like we are seeing this month with Microsoft.  They integrated patches Oracle released in July and are just now releasing them.

As business users become more adept at using shadow IT – those services that the IT department doesn’t even know about – the patching problem becomes even more complex.

Just think about the number of software products in use at a particular business.  There are likely hundreds.

For some vendors, they don’t proactively “push” those patches – you have to go looking for them.

For servers, since many times patches require a reboot, you don’t want those patches automatically installing because it may cause an outage and, in some cases, could cause data loss.

No platform is immune.  Apple just released iOS 9.3.5 for phones and tablets that patch a very serious vulnerability called Pegasus that has been being exploited since the iPhone 4 days, years ago.

And don’t forget cloud solutions.  Sometimes they have a piece that gets installed on user devices – think of Dropbox, for example.  Although it is mostly a cloud application, it has pieces that have to be installed on any computer that wants to use the full functionality of Dropbox.

At the moment that these patches are released, hackers start taking them apart to figure out how to exploit them – how to use these vulnerabilities against people who don’t patch them.

So the warning is – if you don’t have an active patch program, you are a prime target for hackers.  And, you can’t get away with just patching the operating system – Windows, Mac or Linux.  You have  to identify all of your apps on all platforms (including mobile!) and install those patches.

Unfortunately, there is no standard way for vendors to announce their patches, but you need to manage that process.  Identify each product and how that vendor announces patches for that product.  Remember, since vendors acquire other companies, a vendor might announce patches for one product one way and a different product which is part of a different acquisition a totally different way.

Some patches may require a reboot, interrupting the user or the server, while other products may not require a reboot.

Overall, it is just a bit of a mess, but hackers don’t particularly care that it is a problem for you.  In fact, the bigger the problem for you, the better the news for the hacker.

So if you do not have a formal patch program for your business, now is a good time to create one.

Also, ALL users have to participate.  If some users think patching is too big of a hassle, they are the vector for attackers to get into your network.

And as we have seen in the past couple of weeks, sometimes those hackers can wander around a network for years before being caught.  In that amount of time there is no limit as to the amount of data they can steal, back doors they can create and time bombs they can leave behind.

In fact, just this week there have been reports of an unnamed nation state attacking our critical infrastructure for just that purpose – to leave time bombs inside, just in case they need them in the future.


Information on the Microsoft patches came from Network World.

Information on the Adobe patches also came from Network World.

Facebooktwitterredditlinkedinmailby feather