So you think you’re careful? It can happen to you.

Scam artist hacker using laptop. Hacking the Internet - high resolution.

Someone on Reddit described how he was the victim of a very sophisticated social engineering attack. Wow, this is crafty. This is the story:

“I have different passwords for every website I log into, 2-factor authentication when possible; I thought I knew all the scams and could spot them a mile away. This one still got me.

I was meeting a friend at a bar. Two drinks in I got a call from someone identified by my phone as Wells Fargo. I’m fully aware this could be spoofed, but it did not raise alarm bells yet. I was at a bar I did not frequent and have gotten calls from my bank before on suspicious charges that were legit, so I answered expecting this to be the case.

The person I spoke with said they were with Wells Fargo and they’ve identified fraudulent charges on my account but they need to verify my identity before they can discuss details. They said they sent me a text message (via the cell number they just called, which is my first clue this is phishing). They asked me to read back to them the 6-digit number just texted me to verify my ID.

Being two drinks in, slightly expecting what this was about, I had zero alarm bells going off. My bad, this was stupid of me. I read the number to them. They suggested it timed out and I needed to read another number they texted to me. Minimal time had passed, a mild spidy sense was tingling, but I still was not concerned enough to ask questions and read them a second 6-digit code.

This person then read off 5 recent charges on my account, 4 of which I recognized as legit and a 5th that was a $1000 charge to a credit card I did not own. I immediately identified this as a fraudulent charge and they said: “no prob dude, we’ll freeze your card and send you a new one”. They even gave me the last 4 on the card it was coming from. I was appeased enough to continue (sadly).

Finally, they said they sent me one final 6-digit code to confirm that they were crediting my account back with the $1000 fraudulent charge. I just needed to read off the final code they texted to me. At this point, things seem weird to me but they got me at a good time. I was 2 drinks in, was interrupted from hanging with a close friend I hadn’t seen in months and was outside trying desperately to avoid the loud noise inside the bar but still dealing with traffic noise outside. I just wanted to be done with this. I read them the final code and they thanked me and hung up.

At this point, I see why my phone had been vibrating constantly through this call. I had 4 emails from Wells Fargo. 1) Your username has been reset, 2) your password has been reset, 3) Welcome to Zelle! an awesome $$$ forwarding service, 4) You’ve just forwarded $1000!!!!!

I called Wells Fargo via the number on the back of my card. After being on hold for 45 min trying to get the fraud department, I start to tell my story only to have the call drop (I’m pretty sure they hung up on me). I called back and was on hold for 1 hour 20 min (my account has been compromised >2 hours by this time) to get a second person. He told me this was a scam they’ve been dealing with for 3 months and I needed to go into a branch with 2 forms of ID to deal with it. There was nothing he could do tonight.

TL;DR: Dude spoofed Wells Fargo when calling me on my cell, requested a reset of my username, password, and approval for $1000 transfer. I stupidly read off the confirmation numbers I received via text to him, he entered them into Wells Fargo website to approve all these requests. Wells Fargo has known their customers have been getting scammed for 3 months and didn’t bother to warn anyone. I now have to go into a branch, hang my head and tell my shameful story to a person and beg for access to my account because someone else has control of it all night tonight.”

Good lesson to be learned: Never, ever give any kind of confidential data to someone WHO CALLS YOU. Always call back to the number on the back of your card.

[PHISHING ALERT] “Hey Did You See That Fake AI Porn Movie Of Yourself?”

Heads-up. I am sorry to have to bring up a very distasteful topic, but in the very near future your users will get emails with something close to the ultimate click-bait, luring them to see an AI-generated porn video starring… themselves.

Forget about fake news. Its been all over Reddit the last month, we are now in the age of fake porn.

Read More

EU to Declare Cyber-Attacks “Act of War” – USA Likely to Follow 

European Union member states have drafted a diplomatic document which states serious cyber-attacks by a foreign nation could be construed as an act of war.

The document developed as a deterrent to provocations by nation states like Russia and North Korea, will declare that member states may respond to online attacks with conventional weapons “in the gravest circumstances.”

This framework on a joint EU diplomatic response to malicious cyber activities would seem to raise the stakes significantly on state-sponsored attacks, especially those focused on critical infrastructure.

UK security minister Ben Wallace claimed last week that the UK government is “as sure as possible” that North Korea was behind the WannaCry ransomware attacks in May that crippled over a third of NHS England, forcing the cancellation of thousands of operations and appointments.

The problem is that definitive attribution in cyberspace is very difficult, making the framework appear largely symbolic.

It brings the EU in line with NATO policy in the past, establishing cyber as a legitimate military domain, meaning an online attack could theoretically trigger Article 5, the part of its treaty related to collective defense, which states that an attack on one member is an attack on all 29 allies.

McAfee chief scientist, Raj Samani, claimed the move was unsurprising considering WannaCry and the likely state-backed attacks on French and German elections.

“While it is important to define cyber-attacks that are used for espionage or disruption as they would be when committed by physical actors, the greatest challenge that countries have will be in identifying and proving that the malicious actors that caused the cyber-attack have direct links to governmental organizations – something that these groups will be even more keen to conceal going forward,” he added.”

I’m expecting the USA to follow with a similar statement, to function as an additional deterrent against the recent spate of Russian and North Korean incursions.

The vast majority of Russia’s attacks start with social engineering and spear phishing attacks. However, current investigations show that they also have been running paid propaganda campaigns through Facebook.

Full blog post with links to sources:
https://blog.knowbe4.com/eu-to-declare-cyber-attacks-act-of-war.-usa-likely-to-follow

2018 Is Likely to Be a Worse Year for Ransomware Than 2017

Sophos released their 2018 malware forecast this week. Their predictions would make any IT Pro concerned, link to a PDF of their report below. Read on for your executive summary.

Ransomware Mutations Running Amok

You have seen a lot in this blog this year about the WannaCry and NotPetya ransomware strains. Both attacks exploited the EternalBlue Windows SMB vulnerability, and both did not have workable decryption mechanisms for the few organizations desperate enough to try to pay the ransom.

Both incidents make one thing clear: WannaCry and NotPetya appear to be the work of military cyber warfare divisions. Their authors aren’t script kiddies, but professional Dev teams using sophisticated techniques. Nation states are fighting a cold cyber war, and both commercial and non-profit organizations are the collateral damage worldwide.

RaaS Is for Newbie Cyber Crims

There is an area where amateur cyber “crims” do come in, and that’s Ransomware as a Service, aka RaaS. Newbies without l33t skills simply buy the code on the dark web including easy how-to videos.

Sophos says that RaaS is growing in popularity on the Dark Web, and this year’s Cerber ransomware is their example of a worrisome trend. Here’s some of what it says in the report that specifically pertains to RaaS:

“Ransomware is big business on the Dark Web. Its creators realized they could make more money not just by extorting currency from their victims, but by selling kits buyers could use to make and distribute their own. We’ve seen a number of different services and pricing models in the past year, and expect to see many more in 2018.

One of the biggest examples, as mentioned above, is Cerber. Other examples include Satan, malicious software that once opened in a Windows system, encrypts all the files and demands a ransom for the decryption tools, and Philadelphia. The latter was notable for its marketing technique, which included a slick YouTube video advertisement on the open web.”

New “Marketing” Techniques

Sophos reports on an additional ransomware trend they found in a malware strain called Spora. Instead of demanding one ransom to decrypt an entire encrypted drive or partition, some ransomware offers victims multiple options. The options seen in Spora are:

  • Decrypt two files for nothing
  • Decrypt a selection of files for 30.00 dollars
  • Have the ransomware itself removed for 20.00 dollars
  • Buy what they call immunity for 50.00 dollars
  • Get everything on the computer restored for 120.00 dollars

Ransomware Is Now Targeting Non-Win OSen

September 2013 was when CryptoLocker reared its ugly head as the first weapons-grade ransomware that exclusively targeted Windows, which remains Target No. 1.

But Sophos notices a trend of ransomware targeting non-Windows operating systems. I would not be surprised if in 2018 a worldwide MacOS or Linux distro ransomware pandemic broke out.

Ransomware is also growing rapidly on Android. Sophos reported that the prevalence of Android ransomware has grown almost every month in 2017; 30.4% of the Android malware researched in September 2017 by Sophos was ransomware, and they expect that 45% of all Android malware in October was ransomware.

One of the biggest Android ransomware stories broke this October: DoubleLocker. Looks like Android ransomware is going to be a bigger problem in 2018.

Healthcare Continues to Be a Target.

Many cyber criminals are specifically targeting the healthcare industry. Sophos states this trend started in 2016. Healthcare is the single most targeted industry because they are the victims who are most likely to pay ransoms. The Sophos report shows that critical infrastructure, education and small businesses also are often targeted for ransomware attacks, as they’re more likely to pay up as well.

Between April 1st and October 3rd, Sophos notes that the top four countries for ransomware victims are the United States (17.2%), Great Britain (11.1%), Belgium (8.6%), and Singapore (6.5%.) And of course neither Ukraine or Russia even show up in the Top 16, because that’s where these organized cyber crime gangs are, and they know that FSB (KGB) swat teams will knock down their doors if they target these countries.

ZDNet also has predictions about the nasty future of ransomware with four ways the nightmare is about to get even worse:
http://www.zdnet.com/article/the-nasty-future-of-ransomware-four-ways-the-nightmare-is-about-to-get-even-worse/

From the Cyberheist News blog.

New Evil Locky Ransomware Strain Evades Machine Learning Security Software

ransomwareHere is the latest tactic in the cat-and-mouse game between cybercrime and security software vendors. The bad guys have come up with new a ransomware phishing attack, tricking users to open what appears to be a document scanned from an internal Konica Minolta C224e.

This model is one of the most popular business scanner/printers in the world. The emails are written to make the user think that the communication is from a vendor.

Basically, Locky is back with a vengeance and a whole new bag of evil tricks.

The campaign launched Sept. 18 features a sophisticated new wrinkle, enabling it to slip past many of the machine learning algorithm-based software sold by some of the industry’s most popular vendors, said security firm Comodo.

“The method of phishing is by an attachment of an email; the attachment is disguised as a printer output, and it contains a script inside an archive file,” said Fatih Orhan, vice president of Comodo Threat Research Labs. “These are not enough to make a phishing detection.”

This is the third recent massive Locky attack

The third in an increasingly sophisticated series of ransomware attacks launched this summer is dubbed IKARUS by Comodo, some other security vendors are calling it Locky Diablo6.

As in previous attacks, the Eastern European Locky cyber mafia is using a botnet of zombie computers which makes it hard to simply block by IP.

“Employees today scan original documents at the company scanner/printer and email them to themselves and others as a standard practice, so this malware-laden email looks quite innocent but is anything but harmless,” the report continues.

The most innovative hook of this new feature involves the way these criminal hackers manage to evade spam filters.

Here is how it evades machine learning

“Machine learning algorithms need to extract the attachment, open the archive, extract the script and understand it has a malicious intent,” said Orhan, the Comodo research head. “But usually, these scripts contain just a download component and do not have malicious intent on their own.”

“That’s why even machine learning is not sufficient in making these kind of detections,” he continued. “Complex solutions are needed to run the script dynamically, download actual payload, and perform malware analysis to conclude that it is phishing.”

In other words, it looks like that again the bad guys are ahead of your spam filters, whether that is a traditional or new machine-learning flavor.

Now, the Locky payload still ultimately uses an executable file written to disk, so your endpoint security may be able to block it. There are other types of attacks that take advantage of machine learning blind spots (fileless attacks, for example), but this isn’t one of them. What the bad guys behind Locky count on is cranking out so many new variants that antivirus (even some machine learning ones) won’t recognize and block it.

How vulnerable is your network against a ransomware attack?

Bad guys are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s “RanSim” gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 10 infection scenarios and show you if a workstation is vulnerable to infection.

This will take you 5 minutes and may give you some insights you never expected! Get your complimentary download of RanSim here:
https://info.knowbe4.com/ransomware-simulator-tool-1chn

Font Resize