CyberheistNews Vol 8 #32 How and Why White Hats Slowly Turn Into Black Hats




CyberheistNews Vol 8 #32
How and Why White Hats Slowly Turn Into Black Hats

A Malwarebytes-commissioned study on "the true cost of cybercrime" reports a disturbing trend: the rise of the gray hats, those security professionals who keep their legitimate day jobs but moonlight in cybercrime, or at least in questionable and dodgy activities.

The study concludes that one in twenty security professionals in the US are "perceived" as gray hats, and the fraction is much higher in some other parts of the world. Their motivations are said to range from disaffection, to anger at their employer, to the lulz, to simple greed.

How close this is to reality may be open to debate, but it's an unpleasant conclusion to contemplate.
Your BlackHat Big Picture Roundup

The 2018 BlackHat Vegas show wrapped. There was the usual hype, but also the realization that as a sector, we are not doing all that great. The main keynote by a high-level Google exec pointed everyone to basics that are ignored: find the real root causes, picking well-thought-out, achievable objectives, and increase collaboration with those outside the security industry. Tabriz, who leads both Chrome security and Project Zero at Google, offered what amounted to a plea for well-structured and disciplined engineering. We agree, especially in the IoT space.

If there was one theme that emerged from listening to the presentations in the trade show booths, was that the industry recognizes that *time* has now become your most precious resource.

The solutions they pitched offered to save your own and your users' time. That's not simply time to detection or time to response, but the time your team would need to commit to using the solution, defending your organization, or remediating an attack. The products demonstrated also promised that junior security analysts and other IT personnel would be able to function at higher levels.

AI was the new buzzword. The vendors offering artificial intelligence and machine learning were too many to count. However, I have personal experience in deploying AI in a production environment. It is no silver bullet and you need to have healthy skepticism when a company claims that AI is 100% able to protect your network.

Yes, AI has considerable potential in IT security, that is beyond question, but do not count on anywhere near perfect insight and “omniscient detection” of bad guys or malicious code.

PS: DefCon Hacker convention in Vegas is full of tin-foil hats. Literally. I saw them:
https://mashable.com/2018/08/11/tin-foil-hats-def-con-hackers/

PPS: I was just interviewed by Full Stack Talent about how it is to work in Tampa Bay Tech:
http://www.fullstacktalent.com/informative/tech-leaders-interview-stu-sjouwerman-knowbe4/
[Live Webinar] Exploring the Dirty Little Secrets of Social Engineering, Featuring Kevin Mitnick

In this rare live event, Kevin Mitnick, the world's most famous hacker and KnowBe4's Chief Hacking Officer, along with Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer, will share social engineering insights and experiences.

As the author of four best-selling books on the art of social engineering, Kevin is famous for his use of deception, intrusion, and invisibility as a tradecraft. The secrets he shares will help you defend against social engineering threats posed by the bad guys and keep them from manipulating your unsuspecting users.

Key topics covered will include:
  • How social engineering has changed over time
  • Some of the cleverest social engineering techniques
  • Common ways malicious actors find information to use in spear phishing campaigns
  • Psychology of a social engineering exploit and how an organization can protect its users
Join us on Friday, August 24, 2018 at 1:00 pm ET when Kevin will expose the dirty little secrets of social engineering.
https://event.on24.com/wcc/r/1809433/B066A209C42719A68725B53C579CD435?partnerref=CHN
IT Managers: Are You Keeping Up With Social-Engineering Attacks?

Larry Ponemon reported on results from their recent research. Great budget ammo:

Increasingly sophisticated threats require a mix of people, processes, and technology safeguards.

“Social engineering attacks are no longer the amateurish efforts of yesterday. Sure, your company may still get obvious phishing emails with blurry logos and rampant misspellings, or the blatantly fake "help desk" calls from unknown phone numbers, but more sophisticated attacks are becoming the norm.

Using both high-tech tools and low-tech strategies, today's social engineering attacks are more convincing, more targeted, and more effective than before. They're also highly prevalent. Almost seven in 10 companies say they've experienced phishing and social engineering.

For this reason, it's important to understand the changing nature of these threats and what you can do to help minimize them.

Know the Threat
Today's phishing emails often look like exact replicas of communications coming from the companies they're imitating. They can even contain personal details of targeted victims, making them even more convincing.

In one incident, bad actors defrauded a U.S. company of nearly $100 million by using an email address that resembled one of the company's vendors. And in the most recent presidential election, hackers used a phishing email that appeared to come from Google to access and release a top campaign manager's emails.

Bad actors can get sensitive data in many other ways. In one case, they manipulated call-center workers to get a customer's banking password.

Another way is to target data that's visually displayed on a laptop or mobile-device screen. For example, a bad actor could pose as a trusted vendor in an office or a business associate in a foreign country and subtly capture data with a smartphone or hidden recording device.

A Three-Tiered Defense
Given the prevalence and advanced nature of social-engineering threats, your privacy and security measures should cascade across three key areas: people, processes, and technology.” Excellent article with great ammo to get budget for awareness training:
https://www.darkreading.com/endpoint/it-managers-are-you-keeping-up-with-social-engineering-attacks/a/d-id/1332423
Insider Threats – Once Again it All Comes Down to the Human Element

Organizations continue to be at risk from insider threats and the lack of a strong identity management protocol. End users continue clicking on spam and have issues using multi-factor authentications (MFA). These policy and training shortfalls continue to contribute to weaker cyber defense across many organizations, according to a study by ObserveIT.

Spam remains a longstanding, popular, and effective means of attack. Spam click rates are up from 13.4% in the second half of 2017 to 14.2% in 2018. More people are clicking more, regardless of their organization’s policies.

ObserveIT’s “Multigenerational Workforce and Insider Threat Risk Study” found a disconnect between insider risk and cyber security awareness. The study found that, of the thousand respondents, 65% knew what insider threats were, and yet this form of compromise continues to rise.

Breaking their results down by generation, ObserveIT found that 90% of 45-to-54-year-olds followed their company’s cyber security policy. But fully 34% of 18-to-24year-olds were found to be unfamiliar with their employer’s cyber security policy.

Despite increased spending on cyber security, breaches continue to rise. The results point to the need to educate employees on the crucial part they play in keeping a company secure by curbing insider threats. In many respects it’s a challenge of acculturation.

New-school, interactive training can not only address gaps in employee awareness. It’s more effective than PowerPoint in the break room. And it can also help build your culture of security that will help deflect attacks. Infosecurity Magazine has the story:
https://www.infosecurity-magazine.com/news/spam-click-rates-high-2fa-use-low/
[Live Demo] Here is a way to get audits done in half the time and half the cost!

Join us today, August 14, 2018, at 1:00 PM (ET) for a 30-minute live product demonstration of KnowBe4's Compliance Manager to see how you can simplify the complexity of getting compliant and ease your burden of staying compliant year-round.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Ability to build your own templates using our simple custom template feature.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Finally, an affordable and simple compliance management tool!

Save My Spot! https://register.gotowebinar.com/register/3421440884279739651?source=CHN
[Live Webinar] Latest Business Email Compromise Scams - Don't Be the Next Victim

The bad guys are getting very creative, impersonating an executive in your organization and asking for financial reports or asking employees in payroll to make changes to bank accounts.

According to the FBI, their efforts have earned them an estimated $12 billion through Business Email Compromise also known as CEO fraud scams. In addition, these attackers can be working on multiple potential victims at the same time.

Invoice fraud, escrow redirection, payroll fraud, and simple wire transfer fraud are all tools in the attacker's arsenal. Defending against these types of phishing attacks is possible by layering technical and non-technical controls.

Join us in this webinar, as we take an in-depth look at how the latest attacks work and the psychology and mechanics behind them. We will also discuss defensive measures you can take now to defend your organization against these attacks.

In the event you'll learn:
  • The truth about Business Email Compromise
  • How to defend against these attacks using technical and non-technical controls
  • Why building a human firewall is your best last line of defense
Save My Spot! Wednesday, August 15, 2018 2:00 pm ET
https://attendee.gotowebinar.com/register/6862405404472693506?source=CHN

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Success is to be measured not so much by the position that one has reached in life as by the obstacles which he has overcome." - Booker T. Washington

"Education is the key to unlock the golden door of freedom." - George Washington Carver



Thanks for reading CyberheistNews
Security News
Phishing Campaign Uses FTP Links to Deliver DanaBot Banking Trojan

A phishing campaign that delivers malware designed to steal banking data and other private information was discovered targeting a group of Australian businesses. Expect it to spread to other English-speaking countries shortly.

The attackers disguised their messages as invoices issued by MYOB, a local accounting software firm, according to a July 2018 Trustwave report. Users who clicked on the email links were directed to a file transfer protocol (FTP) server with a modular version of the DanaBot malware.

Once the three component pieces are activated, cybercriminals can send encrypted data, such as screenshots of victims’ machines, back to a command-and-control (C&C) server where it can be distributed covertly using channels like Tor.

Phishing Campaign Targets Businesses

This tactic suggests that the perpetrators designed the phishing campaign specifically to target business professionals. Tracking invoices is critical in almost any kind of company, which means victims are likely to pay greater attention to these messages. Using FTP also makes the malicious emails appear more legitimate than they would if they came from an unknown HTTP address.

Finally, the fact the DanaBot banking Trojan is broken up into multiple, heavily encrypted pieces means that it is flexible and agile enough to evade detection.

Security professionals can help protect their organizations from phishing campaigns by developing a layered approach to email security. IBM experts recommend investing in external solutions that pull data from sensors and other sources to scan all incoming messages.

They also recommend that security teams implement perimeter protection using spam detection tools and antispam solutions that can run on internal mailer servers on corporate networks. Finally, mail clients should be connected to a protection mechanism that detects spam and phishing attempts. And oh, train those users. More:
https://securityintelligence.com/news/phishing-campaign-uses-ftp-links-to-deliver-danabot-banking-trojan/
Social Media Social Engineering

We're accustomed to email being the bearer of malicious payloads. Phishing emails continue to represent one of the most important ways in which organizations are compromised and data lost. It's important to realize, however, that email phishing is simply one form that social engineering can take.

Wherever human beings communicate or interact with one another in any way, there's the potential for fraud and exploitation. Email remains a dominant form of online communication now, but it need not hold that place forever. Indeed, it almost surely will not. Chat apps and social media are growing in importance, and they too are infested by scams.

Any organization would benefit from new-school interactive training that enables employees to recognize social engineering in whatever form it takes. Whether it's an email carrying malware as the payload of an attachment, a maltweet, an intercepted and altered Snapchat session, or even a nice-looking person showing up at the office with a clipboard saying they are from the phone company and need to check some problem, it's all still social engineering. Security Boulevard has the story:
https://securityboulevard.com/2018/08/phishing-and-social-media-will-it-over-take-email/
“Loose Lips Sink Ships:” Sharing Too Much Can Take Down a Company

Fighting social engineering is a constant struggle. Technical defenses help, but consensus is that well-informed and aware users are a better protection. Individuals are regularly tricked into giving access to their endpoints. Once they've done that, malware can be installed usually without their knowledge. That malware can remain dormant for an undetermined period before it executes. And all of this can happen even in the presence of sophisticated perimeter defenses.

Barracuda Networks is among the security companies who provide technical solutions but that also recognize the importance of the "human firewall" when it comes to phishing and other social engineering attacks. Jonathan Tanner, a software engineer at Barracuda, notes that the company blocked over 1.5 million phishing emails with 10,000 unique phishing attempts in May of 2018 and 1.7 million phishing emails with 2,000 unique attempts in June.

It's a "numbers game," Barracuda observes: more attempts equals a greater chance of success, and it takes just one success to cause significant harm.

Barracuda advises, in the spirit of "loose lips sink ships," that employees be educated not to share too much information by email or social media. Poor employee behavior can cause a great deal of damage, and where behavior is the risk, training can be a remedy. Dennis Dillman, Barracuda's Vice President of Product Management, advises that effective training programs should go beyond traditional classroom approaches. Training needs to move quickly and conveniently for employees. We agree. More:
https://www.networksasia.net/article/spear-phishing-threat-vectors-highlight-new-realities.1533523385
Here Is a New Scam: GDPR Non-Compliance Extortion

The European Union's General Data Protection Regulation (GDPR) became effective in May. Among many other controls, it mandates that employees get security awareness training, which is a pretty good idea looking at the following extortion scam that tries to leverage GDPR non-compliance.

GDPR is intended to protect privacy, but it could offer opportunities for cybercriminals. As many organizations continue to work toward compliance with GDPR, criminals perceive an opportunity for extortion. They find non-compliant organizations and demand cash in exchange for their silence.

That compliance remains a challenge is clear. In June a survey of 600 IT and legal professionals from the UK, EU and US found 20% surveyed believed they were GDPR compliant, 50% are in the implementation phase and 25% have not started the practice. These figures suggest that extortionists are operating in a target-rich environment.

CISOs and CIOs have learned to recognize extortion as significant risks to the organization. As a result of GDPR, formerly low-value data like residential addresses now have value. Such data fall under GDPR protection. A compromise may afford an opportunity for GDPR extortion.

Several security researchers are predicting that cyber criminals will penetrate a company’s defenses, as they would in the past, and then attempt extortion. In a successful extortion racket, the cybercriminals would compromise an organization, be able to demonstrate that they'd done so, and so show the victim that they have information they could release. By proving the breach, the hacker also proves the potential for a large fine. And fines for GDPR violations can be large indeed: 20 million Euros or 4 percent of annual global revenue, whichever is higher.

Under GDPR individuals and groups have the right to compensation if their data are compromised. Cyber criminals could even threaten a class action suit from customers impacted by a GDPR failure, as they could expose the GDPR failure to thousands.

Better to be compliant, and better not to be breached. IDG Connect has the story: https://www.idgconnect.com/blog-abstract/31153/gdpr-extortion-cybercrime-trend
Your Package Is on Its Way, but Not the One You Expected

Here's a current scam those involved in shipping and receiving should be aware of. Suppose you're expecting a package from a major package delivery company. You receive a seemingly legitimate email from the shipping company offering a means to track the progress of your delivery by simply clicking on the supplied link “Arrival Notification.” The only problem is, as a result of the Microsoft default being set to hide file extensions; you don’t see the full file name “Arrival Notification .exe.” You click on the file to check on your delivery but instead, you unleash an unwanted package, an executable file that compromises your computer with a seemingly innocent animated gif.

The scheme involves using Agent Tesla, a modern and powerful keystroke logger known to be used in malicious spam that pushes malware. This software monitors every move on your personal computer by way of the keyboard and monitor. Your computer now displays the victim viewing the animated gif in a browser on their monitor. It’s like looking in a mirror, and is known as “gifception.”

The Internet Storm Center has the story: https://isc.sans.edu/forums/diary/DHLthemed+malspam+reveals+embedded+malware+in+animated+gif/23944/
What KnowBe4 Customers Say

“Stu, we're very happy with KB4 so far. We used it for a security training campaign that was very successful, and now we're moving on to another training campaign and some phishing work.“
Best, A.T. Security Engineer
The 10 Interesting News Items This Week
    1. Can you recover the power grid after a cyberattack? The Department of Energy finds out:
      https://www.zdnet.com/article/can-you-recover-the-smart-grid-after-a-cyberattack-the-department-of-energy-finds-out/

    2. Pentagon restricts use of fitness trackers, other devices:
      https://www.seattlepi.com/news/politics/article/Pentagon-restricts-use-of-fitness-trackers-other-13134827.php

    3. New Open Source tool uses Facial recognition to create social media phishing attacks:
      https://findbiometrics.com/phishing-tool-facial-recognition-social-media-accounts-508084/?omhide=true

    4. DarkHydrus relies on open-source tools for phishing attacks:
      https://www.bleepingcomputer.com/news/security/darkhydrus-relies-on-open-source-tools-for-phishing-attacks/

    5. Cyber hygiene training is infrequent and inconsistent:
      https://www.helpnetsecurity.com/2018/08/07/cyber-hygiene-training-inconsistent/

    6. Three Ways To Thwart Email Scams And Protect Your Employees' Most Sensitive Data:
      https://www.forbes.com/sites/forbeshumanresourcescouncil/2018/08/08/three-ways-to-thwart-email-scams-and-protect-your-employees-most-sensitive-data/#6a59e22d3e93

    7. Preventing IDN homograph attacks from harming your brand/reputation:
      https://www.helpnetsecurity.com/2018/08/07/preventing-idn-homograph-attacks/

    8. Credit Card Issuer TCM Bank Leaked Applicant Data for 16 Months:
      https://krebsonsecurity.com/2018/08/credit-card-issuer-tcm-bank-leaked-applicant-data-for-16-months/

    9. How algorithms can harm cybersecurity:
      https://www.fifthdomain.com/show-reporters/black-hat/2018/08/07/why-algorithms-can-harm-cybersecurity/

    10. How Bitcoin and the Dark Web hide SamSam in plain sight:
      https://nakedsecurity.sophos.com/2018/08/07/how-bitcoin-and-the-dark-web-hide-samsam-in-plain-sight/
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • Now here is something that looks like a LOT of fun. It’s called a Russian Swing and you can use it for Base Jumping:
      https://youtu.be/VjhUSftpO8A

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews