Category Archives: Phishing

Phishing Still Works

CSO Magazine has a great piece on social engineering/phishing scams.  The article quotes both vendors that we resell – Wombat and KnowBe4.

Bottom line – the Verizon 2016 data breach report says that 30 percent of the phishing emails were opened compared to 23 percent last year.  12 percent clicked on the link.

If 12 percent of the folks in your company clicked on a malicious link, YOU. ARE. TOAST!

Stu Sjouwerman, CEO and Founder of KnowBe4, an anti-phishing and security education provider says that “a handful of competing cyber mafias are casting their nets wider and wider.”  What this means is that the bad guys have launched an all out assault and situations like the ones that I wrote about the last two days – one company closed its doors, the other lost north of $40 million  – are likely the tip of the iceberg.

One cyber mafia alone netted close to $100 million during the first half of 2016.  That’s a pretty good incentive to hack since it is all tax free.

McAfee recorded 1.3 million new ransomware samples in the first half of this year.

The most commonly successful phishes?

  1. It looked official. – Wombat, a competitor to KnowBe4, says that users are better at detecting personal phishing attacks but do poorly with work related ones.  I guess that is how the hack of Leoni worked.  Send an email from the CFO to accounting, asking them to wire $40 mil to the Czech Republic and DONE!
  2. You missed a voicemail.  Attachments that are designed to look like voicemail messages get people to click,.  And get their computers infected.  You click on it and they own your computer.
  3. Free stuff. People cannot resist free stuff.  Even stuff that they down’t want and won’t use.  if it is free, they want it.  Of course the hackers attach an extra prize to the free stuff.  Once that piece of malware is installed after you click, things won’t seem so free any more.
  4. Fake social media invitations.  LinkedIn, Facebook.  Whatever.  If YOU don’t have a FB or LI account then a scammer can create one using your name.  Then invite your friends.  Or maybe the fake account belongs to the CEO.  Who wouldn’t accept his invitation.  Now they can steal your information or get you to click on a malicious link.
  5. Social Media at Work.  If your company allows you to use twitter, etc.  Wombat says that employees missed an average of 31 percent of the social media question on their tests.  Since most organizations allow employees to use social media at work but a third of the time users cannot detect malicious activities, what does that say about keeping the bad guys out?

Part of it is that the bad guys are getting better.  Much better.  I look at some of the malware and it is very impressive.

What is an organization to do?

If you are not actively phishing your employees on a regular basis (at least once a month, if not more) with very realistic phishing emails, you are missing a training opportunity.  And the cost is very reasonable.  Contact us for details.

Information for this post came from CSO Magazine.

Facebooktwitterredditlinkedinmailby feather

Leoni AG Lost $44 Million to CEO Fraud

Leoni makes cables and wiring harnesses for cars, trucks, healthcare systems, appliances and many other products.   They operate worldwide, are publicly traded, have 75,000 employees and in 2015 had sales of over 4 billion euros.  You would think that a company like this would not fall for a business email compromise scam.  But they did.

CEO fraud, AKA Business Email Compromise (BEC) , cost Leoni AG almost 40 million euros to the scammers.  BEC is a huge problem with the FBI saying that it is costing companies worldwide over $2 billion during the last several years.

The scammers had done their homework.  They targeted a subsidiary of the company in Romania.  It turns out Leoni has four factories in Romania, but only one of them is authorized to send wires.  They targeted that one.

They sent an email that looked like it came from the CFO in Germany.

People inside the company said that it was common to send money that way.  Even large amounts of money.  40 million Euros later they hopefully are reconsidering that strategy.

I continue to be amazed that large companies – Leoni has revenues of over $4 Billion Euros – authorize wires via email.  And then they are surprised that they are taken to the cleaners for almost $45 million.

The company’s press release said hackers used falsified documents and identities and electronic communications channels to perpetrate the scam.  This means that they pretended to be the CFO and sent an email requesting the wire transfers.

The good news is that 40 million Euros, while substantial, will not cause the company to go under.  Their profit before taxes in 2015 was around 150 million euros.

Unfortunately, for many companies that fall victim to a business email compromise attack, that isn’t the case.  In some cases, the attack has a very significant financial impact on the business.  I wrote about a company yesterday that went out of business as a result.

This incident makes me ask some questions.  Consider what the answers for your company are.

  1. Can someone send an email, pretending to be, say, the CEO or CFO, to someone in accounting asking to wire some money to some random bank account in a foreign country and no one says anything about it BEFORE sending the payment?
  2. Is there a policy that dictates how employees are supposed to handle requests for payments made via email?  For example, is there a validation process?  Does the request require approval?  Is there a dollar value threshold above which extra authorization is required (such as $40 million)?  What about if the sender says that this is a super-secret hush-hush deal?
  3. Does your company attempt to phish its employees as part of its training program?  If so, how often is that done?  HINT:  Doing it once a year as part of the review of corporate HR policies probably won’t have much of a positive effect.
  4. Does your insurance cover this loss?  Typically cyber insurance does not cover it, nor does general liability.  Since the employees voluntarily sent the money, it is not covered by forgery coverage.  Some insurers are creating a social engineering coverage to address this.  To be sure that you are covered, ask in writing and make sure that the amount of coverage is adequate.

This is a significant business problem that can only be addressed by training people.  This is not a technology problem.  And since it is so profitable, it is not going away any time soon.

 

Information for this post came from Leoni’s press release on the issue.

Facebooktwitterredditlinkedinmailby feather

Dell, Lenovo, AOL and Shodan Make Life Easy For Hackers and Foreign Intelligence Services

Here is an interesting group of vulnerabilities that make life easy for hackers and the Chinese (or Russians, or Ukrainians or pick your country).

  1. Dell has a couple of features in Dell Foundation Services.  One allows an unauthenticated user to get the Service Tag (Dell’s version of a serial number) over the net.  With that, you can go to Dell’s web site and get the complete hardware and software configuration of the computer – useful to hackers, intelligence agencies and scammers.  Another bug allows an attacker to remotely execute Windows WMI commands which allow you to access the system configuration including running processes and the file system and remotely run programs.  Dells service runs on port 7779 and provides a SOAP interface – for ease of exploit.  Err, ease of use.
  2. Lenovo has a bug in Lenovo Solution Center.  It listens on port 55555 and allows an attacker to remotely execute any program – with SYSTEM privileges based on a whole series of flaws described in the article below.  This could also allow a local attacker to execute programs with more privileges than the user has.

Both of these, most likely, are done to make support easier for either the vendor or enterprise users – without regard to the security consequences.

In theory these ports should be closed from the Internet – but not always – read below.  Still, if an attacker gets onto your local network some other way, this is an easy way to increase the attacker’s footprint in your network.

3. AOL Desktop, an absolutely antique piece of software from the early 1990s is still being run by some users.  It was an early attempt to access the web in a graphical fashion when the only connectivity users had was slow dialup.  It uses a proprietary language called DFO which allows AOL’s servers to execute functions remotely on a user’s desktop.  Given this was written more than two decades ago, no one thought about requiring authentication and it did not use SSL to protect the data stream.  This means that all an attacker needs to do is find a system that is still running this antique and it can own it in a heartbeat.

Potentially, attacks from the outside should be mitigated by the user’s firewall, but apparently not always.

John Matherly of Shodan, the search engine for Internet of Things attacks, did a quick search to see if he could find systems that responded.  For the Dell feature, he found around 12,800 webservers that responded to that port.  Of those, about 2,300 are running software that looks like it is from Dell,  He ran a quick script and was able to collect about 1,000 Dell service tags.  He didn’t try this for the other exploits – that I know about.

Quickly.

Obviously, we did not know, until now, about these wonderful Dell, Lenovo and AOL features.  That doesn’t mean that hackers and foreign (or domestic) intelligence agencies didn’t know about them.

Why bother with really obscure and hard attacks to get into computers that you want to when you can just, basically, walk in the front door.

The big question is how many more of these features exist that we have not found.

And since manufacturers have no liability as a result (other than getting a little bad press that blows over quickly), they have no incentive to do things securely.  And also, since they don’t even tell you that they are doing it, you as a user cannot make an educated decision as to whether you want the manufacturer’s “help” in this manner.

Soooooo, HOW MANY MORE FEATURES ARE THERE?  Features that are here today or will be here tomorrow.  As vendors try to help users without considering the security implications. This is just from a quick round up of the news that I happened to hear about today.

 

Information on the Shodan search can be found here.

For information on the Dell feature, go to LizardHQ.

For information the Lenovo feature, go to PC World.

Facebooktwitterredditlinkedinmailby feather

Phishing? Pharming? Don’t these guys know how to spell?

Network World wrote about an interesting attack that is – at least in this case – very simple to fix.

First, what is Pharming.  When you go to your browser and type in www. foo.com, you are trusting the browser to actually send you to foo.com.  What if it really sent you to badfoo.com?  Badfoo.com is designed to look very much like foo.com, except maybe, it loads malware on your computer or maybe captures your userid and password to your banking site.

In this particular attack, the attacker sent out a bunch of emails that were a phishing attack.  If the user clicked on the link, it directed the user to a site that compromised their home Internet router.  From that point, the malware tries the default userid and password for the router and if the user has not changed the password, the malware is able to make changes to the configuration of the router.  Specifically, it changes the setting for what is called the DNS server.  The DNS server is that part of the internet that converts the web site that you put in your browser into the numbers that the Internet actually understands.

For example, if I type in WWW.WELLSFARGO.COM, what my browser needs to know is that the address for that web site is 159.45.170.42 .  The DNS server does this translation.

What the malware does, in this case, is change the DNS server from your Internet provider’s server to one controlled by the hacker.  Now, if the hacker wants to create his own web site for Wells Fargo, he can, and your browser will happily send you there.  This address translation affects your email and most every other form of internet traffic.

The hacker could achieve the same result by hacking your Internet provider’s DNS servers, but that is likely well protected, while your home router is not.  In addition, your Internet provider will eventually detect that their DNS server has been hacked while you likely will never detect that your home router has been attacked.

Being able to change your DNS server address is joyful for the hacker and really sad for you.

This particular attack is based on two things.  First, a bug in your home internet router that has not been patched and second, the fact that 99 percent of the planet does not change the default password that comes with the router.

All you need to do in order to thwart this – and a whole bunch of other – attacks is change the default password.  While this won’t make you younger, better looking or richer, this simple change will help keep the bad guys out.

Changing the password also applies to any other Internet connected device that you have in your home – TV, refrigerator, washer.  It is amazing what is connected to the Internet these days.  All of those smart devices are connected to the same network as your laptop or your nanny cam that is watching your baby.  Hack your refrigerator and they have a toe hold to the rest of your network.  That is EXACTLY how the Target and Home Depot attacks started.  Seriously.  So, if you have not changed the password of all Internet connected devices since they came out of the box, I recommend you do so now.

Mitch

 

Facebooktwitterredditlinkedinmailby feather

Another Nation State Sponsored Trojan?

ars technica reported yesterday on a very sophisticated trojan that has been around, they say, since 2008, went dark in 2011 and came back in 2013.

The trojan is comprised of 5 stages, all but the first of which is encrypted and is serially decrypted to avoid detection.

The interesting part about it is that it apparently is a framework with plugins to attack everything from your keyboard to your mouse to a radio base station.  The link above has more details and a graphic showing the architecture of this thing.  It seems to be very sophisticated.

Supposedly, there have only been around 100 known infections – but do we really know? – mostly inside ISPs.  Symantec suggests that this was done not to spy on the ISP, but rather on their customers.

Now that the cat is out of the bag, I am sure we will hear more in the coming days.  This could be another Stuxnet.

Mitch

Facebooktwitterredditlinkedinmailby feather

Phishing Attacks – How would your firm score?

McAfee Labs reported that 80% of the participants in its online phishing test failed at least one of the seven parts of the test.

Combine this with a reported 250,000 new phishing URLs in the last quarter, 1,000,000 in the last year, and think about the likelihood that one of your employees will fall victim to an attack.

Also consider that it is not just your employees that you have to worry about.  Vendors and customers often have access to your systems and at a minimum might send you phishing laced emails.  Are your employees likely to click on a phishing link from a customer?

The McAfee phishing quiz is available at this link.  If you take it, knowing that it is a test and don’t pass it, consider what your employees might do when it is not a test.

Mitch Tanenbaum

Facebooktwitterredditlinkedinmailby feather