Tag Archives: Phishing

Security News for the Week Ending December 4, 2020

France Says it is Going Ahead with Digital Tax

France has been complaining that U.S. companies (mostly) have not been paying their fair share of French taxes since they are not selling widgets that delivered in France, so they came up with this digital tax, a 3% tax on digital services delivered in France. They held off for a while trying to get some sort of international tax agreement, but that does not appear to be happening, so they are moving forward with the tax. Only affects companies doing business in France with revenue more than 25 million Euros. Is this the wave of the future? Credit: Cybernews

FCC Chairman Pai to Step Down on Jan 20

Ajit Pai announced that he will step down from the FCC on inauguration day rather than having the new President fire him, which is almost guaranteed. Pai, a former telecom industry lawyer and lobbyist, said that he may try to create some rules in his remaining two months in support of the President’s efforts to hurt Facebook, Twitter and similar companies. Those rules would likely be reversed on the day after inauguration, so it is not clear why he would waste taxpayer money doing that, but that is Washington for you. Credit: CNBC

How Many Phishing Sites?

Since the beginning of this year, Google has flagged 46,000 web sites EACH WEEK as phishing sites. That is over 2 million so far, this year. This is a 20% increase over last year and the year is not over. Hackers can buy as many sites as they want, but, in part, they are looking for “look alike” sites – sites with a zero swapped for an Oh or an “L” swapped for a “1”. But also, they just take over sites with bad security. There is almost no way to track that, but I can say from personal analysis, that there are way more of the second kind than the first kind. Credit: KnowBe4

Docker Malware – Its a Thing

Docker containers are the darling of the development world – light weight and easy to deploy; self contained and OS agnostic, supported in the cloud – everything that developers want.

Three years after the first Docker malware showed up, it is now common. Malware gangs are now targeting Docker and Kubernetes.

Many of the attacks – surprise – are due to misconfigured Docker servers, leaving them exposed to attack. It appears that we in IT never learn. Just because tech is delivered slightly differently, the basics still apply.

To make a point, researchers looked at images publicly available in the Docker Hub. 51% had critical vulnerabilities and 6,500 of the images tested could be considered malicious.

You can wait until you are compromised or you can get ahead of the freight train. Credit: ZDNet and Dark Reading

Even Before Dust Settles on Swiss/CIA Deal to Subvert Encryption …. Another One

Even before all of the investigations are complete of the CIA’s compromise of Crypto AG and selling compromised encryption hardware to both our friends and enemies so we could spy on them, another story surfaces. Apparently Crypto AG was not the only one. Now the Swiss media is reporting that the CIA controlled another Swiss crypto company, Omnisec. The Swiss politicians are going crazy and calling for executions in the public square. Stay tuned, but assume your crypto has been compromised. By someone. Credit: Security Week

Very Creative Phishing Attack

It all starts with a calendar invite, but there is a setup. The con is that your bank account has been compromised and you need to fix it.

The attack starts with an email titled (like) “Fraud Detection from Message Center”. This part of the attack uses a real but compromised Office 365 account, complete with legit email security like DKIM and SPF.

The invite is hosted on the real Office 365 Sharepoint.com and contains a link. Clicking on the link causes another relatively simple document to open with another link.

Since hackers are equal opportunity crooks, when the user clicks on this link, they get transferred to a phishing site hosted at Google where the user is presented with a very convincing Wells Fargo site page.

The user is then prompted for the login information, PIN, various account number details and email credentials.

Assuming the user falls for all of this, they are taken to a legitimate Wells Fargo login page designed to make the user think the account was secured, when in fact, the user just gave the hacker the keys to the cookie jar. And likely all of his or her money.

According to the security vendor (Cofence), this is not the first time that hackers have used Google’s infrastructure to host malware. Credit: SC Magazine

So what should you be doing?

Education. Education. Education.

Anti-phishing training should be a requirement at all companies and for all employees. At the low end there is free training, but for most companies, there is a moderate cost solution that is highly effective.

Some companies send the same phishing email to everyone, maybe once a quarter. That is not an effective approach to train employees. The program needs to be much more active in order to be effective.

As you can see from the sophistication of the attack above, the hackers are working overtime to steal your money.

You need to work equally hard to protect it.

If you need help with your anti-phishing training, please contact us.

Security News for the Week Ending May 8, 2020

The Contact Tracing Horror Begins

The UK is now saying that all of the contact data that they are collecting from the app people install on their smart phones – that data may be kept by the government forever and no, you can’t ask them to delete it. Credit: The Register

Singapore will require smartphone checkins including people’s national identity number at all businesses. People have to both check in and check out. But, not to worry, it will only be used by “authorised” people. Not only will you have to do that when you enter a business, but also when you go to the mall or the park. Credit: The Register

And India made contract tracing app mandatory in ‘hot-spots’, which could be a problem given that half the population does not own a smart phone. Credit: The Register

Governments have found a great new source of data to mine and sell.

Hackers Have Figured Out How to Make a Plane Go Up or Down at up to 3,000 feet a minute

TCAS, the collision avoidance system that the aircraft industry and governments have adopted to ‘discourage’ planes from crashing into one another by telling two planes that are close to one another to move in opposite directions from each other, is, apparently, susceptible to hacking.

The hack works by presenting phantom data to a plane that it is about to collide and needs to dive or climb. Some TCAS systems can even take over the controls. As I recall, TCAS has no security protocol as part of the system and just trusts the data it receives.

While technically pilots can disable the system to mitigate the risk, we saw how well that concept worked with the now-grounded 737 Maxs. Pilot tend to trust their instruments way more than they should. Credit: The Register

Hacking Campaign Targets 900,000 WordPress Sites

Hackers targeting WordPress sites that are not current on their patches. Wordfence security saw 20 million attack attempts on over a half million servers on May 3rd alone. The attack redirects visitors to malvertising and administrators get to deploy a free backdoor for the hackers. If you are not running Wordfence on your WordPress site, do that now. If you are not current on your patches, well, it might be too late. Credit: Bleeping Computer.

Covid-19 Themed Phishing Subjects

As Coronavirus becomes the topic of the day, hackers are using themes like these:

  • Because of COVID-19, payroll is making adjustments and we need to update account information (see hyperlink)
  • Your office location is closed, please remote in today (see hyperlink)
  • Al employees are asked to sign in (see hyperlink) and update their wellness status
  • Relief donations are being solicited (see hyperlink)

Now would be a good time to up your anti-phishing training, but be understanding that this is likely a stressful time for employees. Credit: NCMS mailing list

Ransomware. Ransomware. Ransomware

New York based law firm Grubman Shire Meiselas & Sacks, who represents dozens of A-List artists such as Madonna, Lady Gaga, Elton John, Robert de Niro and many others was hacked by the Sodinokibi ransomware group.

The hackers claim to have stolen over 750 GB of data and has published snippets of a number of documents. This hacking group is very financially successful. Given who the clients are, money is not an object and their ability to sue this law firm out of existence is also probably a good guess.

I suspect a ransom payment will be made. Not in Bitcoin – too traceable. These guys only accept Monero.

For companies that store any kind of sensitive information, this is a heads up. We are hearing about this happening (stealing your information and demanding a ransom not to publish it) every single day. Good backups will not protect you from this type of attack. Credit: Bleeping Computer

Massive Docusign Phishing Attack After Breach

Docusign is one of the major eSigning providers in the country.  eSigning allows customers to electronically sign documents instead of having to go somewhere to place a pen on paper and sign those documents with ink.  As a result of this convenience, eSigning is extremely popular.  It is used in every industry vertical where document signing is a part of the process.

Docusign noticed an uptick in phishing emails targeting its customers this month.  The emails targeted existing customers of Docusign.   Docusign says that they have 100 million users in their system.

Initially they thought that this was just another of many generic phishing attacks, but they soon realized that the hacker had too much very realistic information.  Docusign had been hacked.

The company discovered that what they call a non-core system had been compromised and their customer list taken.  At this time the company says that no financial information or signed documents were taken, but what was taken – names and emails – allows attackers to launch a very targeted attack against Docusign customers.

The way the attack works is that the customer receives an email that looks strikingly like a real Docusign request EXCEPT that it is asking the user to download and open a Word document – something that Docusign does not do.  Of course, most Docusign customers do not know this.  If they do open the document and follow the rest of the instructions from the attacker, the user’s system is now compromised.  The attacker can do whatever he or she wants to do.

While this campaign uses a Word document, the next campaign could use something else – maybe a malicious URL.

For companies that use any eSigning technology, it appears that now would be a good time to educate your users about what a legitimate eSign request looks like and what an eSign phishing attack looks like.

For the mortgage industry, which is a big user of eSign technology, this is just another attack vector.  Just like the industry has set up processes to warn its clients about fake wire transfer requests, it looks like the industry now has to warn its clients about fraudulent eSign requests.  Today it is Docusign;  tomorrow is could be any Docusign competitor.  In fact, any mortgage purchase or refinance client could be a target – eSign or not.  After all, clients are deluged with requests during the mortgage process and it is very hard for clients to know what is real and what is fake.

Another day, another opportunity.

Information for this post came from KnowBe4 and KrebsOnSecurity.

Phishing Still Works

CSO Magazine has a great piece on social engineering/phishing scams.  The article quotes both vendors that we resell – Wombat and KnowBe4.

Bottom line – the Verizon 2016 data breach report says that 30 percent of the phishing emails were opened compared to 23 percent last year.  12 percent clicked on the link.

If 12 percent of the folks in your company clicked on a malicious link, YOU. ARE. TOAST!

Stu Sjouwerman, CEO and Founder of KnowBe4, an anti-phishing and security education provider says that “a handful of competing cyber mafias are casting their nets wider and wider.”  What this means is that the bad guys have launched an all out assault and situations like the ones that I wrote about the last two days – one company closed its doors, the other lost north of $40 million  – are likely the tip of the iceberg.

One cyber mafia alone netted close to $100 million during the first half of 2016.  That’s a pretty good incentive to hack since it is all tax free.

McAfee recorded 1.3 million new ransomware samples in the first half of this year.

The most commonly successful phishes?

  1. It looked official. – Wombat, a competitor to KnowBe4, says that users are better at detecting personal phishing attacks but do poorly with work related ones.  I guess that is how the hack of Leoni worked.  Send an email from the CFO to accounting, asking them to wire $40 mil to the Czech Republic and DONE!
  2. You missed a voicemail.  Attachments that are designed to look like voicemail messages get people to click,.  And get their computers infected.  You click on it and they own your computer.
  3. Free stuff. People cannot resist free stuff.  Even stuff that they down’t want and won’t use.  if it is free, they want it.  Of course the hackers attach an extra prize to the free stuff.  Once that piece of malware is installed after you click, things won’t seem so free any more.
  4. Fake social media invitations.  LinkedIn, Facebook.  Whatever.  If YOU don’t have a FB or LI account then a scammer can create one using your name.  Then invite your friends.  Or maybe the fake account belongs to the CEO.  Who wouldn’t accept his invitation.  Now they can steal your information or get you to click on a malicious link.
  5. Social Media at Work.  If your company allows you to use twitter, etc.  Wombat says that employees missed an average of 31 percent of the social media question on their tests.  Since most organizations allow employees to use social media at work but a third of the time users cannot detect malicious activities, what does that say about keeping the bad guys out?

Part of it is that the bad guys are getting better.  Much better.  I look at some of the malware and it is very impressive.

What is an organization to do?

If you are not actively phishing your employees on a regular basis (at least once a month, if not more) with very realistic phishing emails, you are missing a training opportunity.  And the cost is very reasonable.  Contact us for details.

Information for this post came from CSO Magazine.

FBI Says Over $2 Billion Lost To CEO Email Fraud

Wow.  That is an impressive number.  As I have talked about before, what the insurance industry calls business email compromise or BEC and what the FBI is calling CEO email fraud is a very lucrative business at $2.3 billion since January 2015.

The way it works is the attacker does a little research on the “mark” – and this is a classic con job, hence the term mark is appropriate – and then sends the mark an email.  Could be the head of finance, someone in the wire room, something like that, pretending to be the CEO or CFO and needing a wire.  With a little social engineering they get their money from the mark.

And, unlike a check or credit card, it is very difficult to get that money back.  Usually, it is transferred out of the target account almost instantly.

Insurance copies, as I have written about, are also starting to push back saying that this is not a cyber breach.  The employee willingly wired the money.  They will cover it, but it is different policy.

There are many variations on exactly how this works, but the result is the same – someone voluntarily wires money to the bad guy.

There are also well known ways to curb this.  In almost all cases, they add some overhead to the process.  If your employee is asked to wire money to someone that they do not wire to normally, ask a question.  Shouldn’t there be a PO?  Or a contract?  Walk down the hall and ask the CEO.  Require two people to approve the wire.  Stuff like that.

Brian reports on a couple of well known phishes – Mattel toys, $3 million, Ubiquiti, $46 million and Scoular, $17 million, among many others.  None of these companies will go out of business but it is both embarrassing and expensive.

The best one though, is when the company Phish Me, who makes anti-phishing management software, was attempted to be phished.  They, as you might expect, did not fall for the con, but did decide to play with the attacker.  That is all documented in the Phish Me article below, so I am not going to repeat it.  The article is a wonderful tool to use in training, however.

At this point, organizations need to fortify the payments process.  As the bank robber Willy Sutton is reported to have said – that is where the money is.

To do that is pretty simple – one part training, one part process and one part sheer will.  There should be a well documented process on how to get money out of your company and based on the particular business model, you should figure out where the soft underbelly is and armor it up.

For those of you who are interested in the details of how these attackers pull these attacks off, I recommend reading the Phish Me article.

For everyone else, this would be a good time to look at your accounting process.

Information for this post came from Krebs On Security and Phish Me.