20 replies to this topic

[Rossman01]

Hi guys - I get these emails sometimes that are sketchy at best - I have some interest in e-security, so belong to some of those types of newsletters and can spot that stuff when I see it.... So I thought I'd start a string that can grow over time with those things that people sometimes fall for whether it came in their email, from a supposed tech support guy on your telephone, or a drive by download from a just as sketchy website that was visited.

 

So today, I'm going to highlight this one that supposedly came from my local courthouse demanding my appearance at some sort of hearing or whatever... anyway, these emails come with an attachment for the end-user to click, which if done, installs a virus or some other key-logger with a back-door access to your machine and now you're compromised.  Now you either need to know how to remove it or spend countless dollars in time and effort 'without' access to the machine while it is out being repaired.

 

Easier to just avoid those scams in the first place...  

 

The email came to my yahoo account with the headline:  Notice to Appear

 

The body shows:

----------------------

Notice to Appear,

The copy of the court notice is attached to this letter.
Please, read it thoroughly.

Note: If you do not attend the hearing the judge may hear the case in your absence.

Truly yours,
Clerk to the Court,         <<--------------------------
Karen Tailor

 

---------------------

 

There are specific things to look for when identifying malicious mail..... First.... Think before you click!!!

 

Your local courthouse will not make contact with you like this.  They will inform you of more than Joe Somebody must contact us.......You would know "which" court (Really?? Karen Tailor of What court??)is trying to make contact with you 'before' they ask you to click links.... and lastly, you would already be aware of any pending actions against you if you are receiving email from the court - as you would have been "formally" served by an officer of the court or a courier service, having you sign for the notice.

 

Stay Vigilant! Stay Suspicious, Stay Safe.

 

Stay aware, and Stay careful while surfing the Internet - It's a wild jungle out there.

 

Rossman.

 

PS, There are so many other scams like this out there, I will periodically highlight another and look forward to your own experiences with the bad guys right here!

 

Rm

 

PPS - If you have a funny feeling about an email, you're most likely right, follow your gut. Don't open the attachment.

[hyipsurvival]

i don't know if it works in other nations too, but here (italy) it's very easy to spot phishing emails as they are written in broken italian with lots of mispelled words - like bad hyip websites run by lazy admins 

 

good topic Rossman!

[Rossman01]

Another common problem that can arise just by surfing the web - CRYPTOLOCKER (and new variants) - Cryptolocker can install itself onto your machine through a process quickly becoming called a "Drive-by" attack - where a user unknowingly stops by an infected web-site. - the Malicious bad-guy hits you hard and it's VERY difficult to remove. See the story below pulled from my newsletter from the great guys at knowbe4.com

 

This is the scariest kind of attack - as there really isn't a cure - besides pulling a bug-free back-up (If you have one - Prolly a good time to create one!!) and entirely restoring your machine.

 

Rossman -> 08/2014

 

-------from STU SJOUERMAN @ knowbe4----------------------

 

Last week, Fedor Sinitisyn, blogger and security researcher for Kaspersky posted something worrisome. He reported that the Angler Exploit Kit was delivering a new second-generation type of ransomware called CTB-Locker (for "Curve-Tor-Bitcoin"). Kaspersky identifies it as "Onion" because it uses the TOR network; Microsoft identifies the malware as Critroni.A. This alert is also on our blog, please tell your friends.

The Next CryptoLocker

Sinitisyn described CTB-Locker as the potential successor to CryptoLocker, and said that other malware used the anonymous TOR network though it was limited to banking malware families such as the 64-bit ZeuS.

Why Second Generation? 5 reasons:

1. CTB-Locker is the very first Windows ransomware that uses the TOR network for its command & control (c&c) servers which makes it much harder to shut down.
2. Traffic between the malware that lives on the infected machine and its c&c servers is much harder to intercept. 
3. CTB-Locker encrypts files using little-used and super strong Elliptic Curve Diffie-Hellman cryptography which makes decrypting it yourself impossible.
4. Compresses files before encrypting them. 
5. It was built as commercial crimeware, so it can be sold globally to other cybercriminals. The Bitcoin ransom can be specified, as can the extensions of the files that will be encrypted. 

This new generation is likely originating from an eastern European country like the Ukraine or Romania, but not Russia. The developers of the early versions of Onion had English-speaking users in view as their primary targets, and English was the only language supported in the GUI. However in more recent versions, Russian also came to be supported in the Trojan's GUI along with English.

The fact that the first infections are mainly in Russia means it originated somewhere outside of Russia. Russian cyber crime never hacks in Russia itself because they are immediately arrested and shut down by the Russian security services. 

Once a PC is infected with CTB-Locker, the ransomware gives the victim detailed instructions on how to pay the Bitcoin ransom. Here is how the locking screen looks:

The fact that other cybercriminals are going to use this code will make it certain that the U.S. will be heavily targeted. Symantec's recent Internet Security Threat Report explained more about ransomware on page 6:

• Ransomware attacks grew by 500 percent in 2013 and turned vicious. 
• Scammers continued to leverage profitable ransomware scams where the attacker pretends to be local law enforcement demanding a fake fine of between $100 to $500.
• First appearing in 2012 these threats escalated in 2013, and grew by 500 percent over the course of the year

[fenge]

Great !I will be careful!

Thanks Rossman01 for this good topic.

[Rossman01]

This one is running through emails here in SoCal - We now have TollRoads where when I was a kid, Freeways were free. - Anyway, Lots of news here regarding toll roads and the fact they are all e-toll roads, no longer accepting cash - Now the scammers have picked up and started scaring people who never even use them - Of course, some people are stupid and fall for every email that comes their way, lol.

 

Stay away from this one, and for sure, don't click any links.

 

------------------

 

 

E-ZPass     Service Center               Dear customer,

You have not paid for driving on a toll road. This invoice is sent repeatedly, 
please service your debt in the shortest possible time.

The invoice can be downloaded here --Link Removed by Rm--    

 

 

This is an obvious scam -> No License Plate number, No infraction ID #, No date infraction was incurred. - and seriously, "this invoice is sent repeatedly"??? ...and "please service" WHAT debt??

 

 

[Rossman01]

The Newest Biggest Threat to users..... Be careful wandering the TOR's.... The new threat is TorrentLocker!! OMG, the new breed of CyberRansom Mafia is here.... Have a read, from our protectors at KnowBe4.com - Thanks CyberHeist News!!

 

--------------Excerpted from newsletter--------------------

New Ransomware Threat: TorrentLocker

iSIGHT partners discovered a new ransomware strain, which uses "marketing" components of CryptoLocker and CryptoWall but underneath the surface, the code is completely different from these two earlier ransomware families. They have called this new strain "TorrentLocker", for reasons you will see below.

Despite its unique code, the malware tricks victims into thinking that it's CryptoLocker by copycatting the CryptoLocker ransom message. The design of the ransom page looks more like CryptoWall. The malware installs itself on the infected machine and injects a binary into a legitimate process.

This injected binary contains the functionality to encrypt files using the Rijndael algorithm. Once files are encrypted, the victim is prompted with a ransom message and a decryption deadline. The victim is required to purchase Bitcoins and send the payment to the Bitcoin address provided.

The malware and its configuration reside in the Windows Registry, in \Software\Bit Torrent App\ for continued persistence on the infected machine. The registry contains items such as the original binary, ransom message, install locations, autorun key and number of encrypted files.

This strain has been spotted in Australia first, apparently the bad guys are using the aussies as their beta test and then go worldwide. More at:
http://www.isightpar...ker-cryptowall/

I have said it before and I will say it again, it's high time to make 100% sure that your backups really work and can actually be restored at a moment's notice. Also, step all users through effective security awareness training to prevent ransomware attacks from happening. Why Security Awareness Training? Ransomware, that's why

 

----------------------------And notes from another section----------------------

Multiple ransomware strains are now attacking your end-users. You cannot just rely on your filters - you also have to step your end-users through effective security awareness training. Since September 2013, ransomware has become vicious, has inspired several copycats, and the first strains of second-generation ransomware have been identified.

 

Here are some real system administrator quotes of sites hit with ransomware:
1. "Just Paid Cryptolocker - We got infected, found our backups did not work and we had to pay."
2. "Went through this 2 weeks ago - We had backups, but that meant we lost a day and a half."
3. "CryptoDefense deleted my Shadow Volume Copies - that really caused a major problem."
4. "Cryptolocker SUCKS" - This really is the nastiest thing on the web at the moment."
5. "Ouch. This stinks" - Our comptroller opened the attachment, and her PC got infected. The phishing email passed through hosted email filtering, our "advanced" firewall and the AV on the workstation." 

 

Take note of the above quotes and maybe we can all feel more secure..... - back-ups and educated users will avoid clicking links that allow bad guys into our systems.

 

Good luck Electronic Warriors, stay vigilant, and 

 

"Be Aware!!"

 

Rossman

[Colaro]

Interesting, thanks Rossman!

[Rossman01]

New one I received this morning -> This one is a scary one, because I DO use blockchain.... I wonder how many less informed folks would have clicked it??

 

----------------------------

 

 

iinetinternetbill@blockchain.btc

To

 

 

Today at 7:02 AM

This message contains blocked images. (Rossman has removed the images)

Change this setting

Hello, Due to technical problems Blockchain suffered minor modifications. For your safety were introduced several means of protection. More details:• A block chain is a transaction database shared by all nodes participating in a system based on the Bitcoin protocol. A full copy of a currency's block chain contains every transaction ever executed in the currency. With this information, one can find out how much value belonged to each address at any point in history.

Please login and confirm your identity here: (Rossman removed the link for obvious reasons)

 

Kind regards!

Blockchain ©1995 - 2014 Blockchain Corporation | All rights reserved.

 

-=------------------------

 

In the end, I will go log in to my blockchain account; after I close my browser, then open and manually type in the website address.

 

Rm 

[Colaro]

 

New one I received this morning -> This one is a scary one, because I DO use blockchain.... I wonder how many less informed folks would have clicked it??

 

----------------------------

 

 

iinetinternetbill@blockchain.btc

To

 

 

Today at 7:02 AM

This message contains blocked images. (Rossman has removed the images)

Change this setting

Hello, Due to technical problems Blockchain suffered minor modifications. For your safety were introduced several means of protection. More details:• A block chain is a transaction database shared by all nodes participating in a system based on the Bitcoin protocol. A full copy of a currency's block chain contains every transaction ever executed in the currency. With this information, one can find out how much value belonged to each address at any point in history.

Please login and confirm your identity here: (Rossman removed the link for obvious reasons)

 

Kind regards!

Blockchain ©1995 - 2014 Blockchain Corporation | All rights reserved.

 

-=------------------------

 

In the end, I will go log in to my blockchain account; after I close my browser, then open and manually type in the website address.

 

Rm 

 

 

I have not received it but thanks for info anyway

[Rossman01]

New this week, - The Bitcoin Phishing Scam -> See below from my favorite Security Writer, Stu Sjouerman @ knowbe4.com

 

Bitcoin Phishing Click Rate Higher Than Regular Scams

Posted by Stu Sjouwerman on Wed, Aug 27, 2014 @ 07:41 AM 

 

The Proofpoint Threatinsight blog reported on something curious. They called their posting "Curiosity Clicks: Using Bitcoin’s hype for phishing fun" and came up with some interesting statistics.

To begin with, the world of the new crypto currency Bitcoin is unregulated and designed for anonymity. It represents an attractive, $6.8 billion target to cyber criminals. 

Blockchain.info, the most popular Bitcoin "wallet" web site, reports that since September 2013 the number of "My Wallet" users has grown over 500% to over 2 million users, and daily transactions have nearly tripled to over 30,000 transactions per day. A percentage of these are ransomware victims transferring money to cyber criminals hoping to get their files unlocked.

Phishing Expeditions

The bad guys go where the money is, so with numbers like this, phishing attacks targeting Bitcoin users are literally "phishing expeditions." Attackers have used lists of known/active Bitcoin users and used widespread misperceptions about Bitcoin to try and improve their odds of success. 

They drilled down into a specific Bitcoin 'themed' phishing campaign and found that the 12,000 messages part of this campaign received a 2.7% click rate, which is more than the percentage of Bitcoin users in the general population.

Curiosity Killed The Cash

The conclusion is simple. It means that in some cases the link pointing to the phishing website was accessed by users that did not even have a Bitcoin Wallet, highly likely out of curiosity about the digital currency. 

The phishing emails used a classic phishing strategy, a bogus alert of a suspicious sign-in attempt. To make sure that no Bitcoins are stolen, a password reset is recommended with a link to do that at the end of the message.

The messages claim to be from a Bitcoin related website called Blockchain.info and give a case number for the "incident", a classic social engineering tactic.

If the victim clicks the link, they land on a phishing site impersonating the Blockchain log-in page and any information entered in the fields is sent directly to the phishers. Once the bad guys that data they can login to the user’s real Blockchain.info account and empty it out. "Because Bitcoin transactions are by design irreversible and difficult to trace, the victim has almost no recourse for their loss,” says Proofpoint.

[hyipsurvival]

thanks for sharing Rossman!

[Rossman01]

This amused me immensely.... It seems the 'Ol "Prince of Persia" and "Nigerian Lottery" phishing scam still exists!! I just got this one this morning. I had to laugh, then I also had to share. (grin)..

 

 

Welcome To Uba Bank Of Africa Headquarters.

We have finally arranged to transfer your Fund worth $25Million USD
through (UBA) Bank. We were able to accomplish this through
the help of IMF director Anderson Morgan and every necessary arrangement has
been
made successfully with the UN Agent Mr. Seay William.

Contact  Mr.George Gabriel.
Telephone: +229-68736194
Email:  (africaban@yandex.com)
Contact the (UBA) with your transfer information such as:
your receiver's name,..
your phone number,..
address,..
city,..
nearest airport.

And also be informed that your fund is now in (UBA) Bank plc
Sincerely
MR.JOHN MIKE

 

-------------

 

I wonder if I respond with a demand for the money to be placed into my BTC address with threats that if I don't see the transfer then the aforementioned persons and senders will be contacted by the proper authorities; then sign it Stu Sjourwerman and leave his address (for the recipients to research... Then they find out he is part of that security group..... put a little scare into them??)...

 

Not seriously of course, it likely wouldn't be that easy, and would simply be asking for some Mafioso to come and punch me in the nose.

 

Was funny to see though and think about.

 

Rm

[Vis]

Heck, I get so many of these types of emails...

From the FBI, IMF, and so many other scams like it, I must throw away 100's of millions of dollars some weeks, lol

[Rossman01]

I just got news that Australia was just hit "Big" with Cryptolocker virus - They are being blackmailed for more than ten thousand machines @ between one and two BTC each - That's a big batch of Dough!

 

I had heard somewhere that the Russian Hackers behind this mess have obtained 500 million $ in ransom, so far (approx 40 - 45 % of all infections).

 

Huge Huge Black Hat biz.

 

"Make New Backups, Everyone!!" (I gotta make new ones this weekend.)

 

Rm

[Rossman01]

Hello my friends - Been a few days - So here's a bit more from my 'other' friends at know-be4 (Stu Sjowerman)

 

SCAM of the WEEK: Compromised eBay Accounts

Digital miscreants have moved to eBay in a big way. Warn your users to not give out personal bank account data on eBay. Always use a credit card (not a debit card) or pay with PayPal! There are way too many people using a debit card online, not understanding the risks they are running doing that.

Here is how the scam works. First phishing emails get sent and keyloggers put on the initial victim's PC, so that the bad guys can get their eBay credentials.

Next their legit, 100% positive feedback, eBay user account gets hijacked and a fake listing gets placed. They get locked out of their own account, and later billed by eBay to cover seller's fees for items they did not sell.

When buyers clicked on one of these malicious listings for things like smartphones, televisions and clothing, they were brought to a totally real-looking site that asked victims to log in and give out their bank account details. Once those were divulged, the account was emptied out.

The lesson still is: Think Before You Click! 

 

 

(Good one, RM)

[Rossman01]

Hey PHF HYIPers - I saw a great interview with my favorite Security expert in my "Server News" newsletter, I thought you might like to see some of the reasons I like this guy so well.

 

from WServernews.com.....

 

article quote - --------------

Issue #1000 - Interview with Stu Sjouwerman

We're talking with Stu Sjouwerman the guy who started this newsletter way, way back in September of 1997. Stu, 17 years is a long time in IT, isn't it? That's about 119 dog years, and for old dogs like ourselves who work in the IT profession it feels more like several centuries. What was the IT industry like when you started WServerNews--or W2Knews as it was actually called back then?

Yeah, it's been quite a ride! I started in IT in 1979 with VAX mini-computers from DEC. We started W2Knews in 1996 when Microsoft just came out with their enterprise operating system: Windows NT, soon followed by Windows 2000 which the first version of the newsletter was named after. The industry was jumping on the Redmond bandwagon in a major way, noticing that Bill Gates had "bought" DEC's Dave Cutler, the main VMS Operating System architect for a then astounding amount of a million bucks a year.

What was your goal in starting the newsletter back then? What did you hope to accomplish?

Help system administrators to keep their machines and networks up & running with information, news, hints & tips and system admin tools. And of course a few fave links at the end to provide a bit of levity. System admins are usually super busy putting fires out all day long, and do not get a lot of cooperation from other employees who do not understand the computer and network.

What did readers initially like best about your newsletter? Did you experiment with the format and range of topics you would cover?

In the early days, any news was welcome as NT was a whole new platform and there were hardly any 3rd party tools available. We started with a disk quota management tool, and Octopus, which was real-time backup and failover. We surveyed regularly about which sections in the newsletter were needed, wanted or redundant and finally settled on a format we stuck with for more than 10 years.

How did you come up with fresh ideas for your editorials? As I can testify myself, writing a newsletter every week can be challenging even in an industry like IT where things change very rapidly!

Sunbelt was hosting several forums, one of which was the popular NTSYSADMIN list. Topics discussed there were a never ending source of story ideas and interviews. We also had forums about Exchange, Security and other topics that came up over time.

What changes in the IT profession did you see during your long tenure as Editor of WServerNews?

Wow, interesting question. Overall, over the decades, I would think it's fragmented into more and more specializations. 30 years ago you could know pretty much everything about PCs for instance. Today, you need to be a malware reverse engineering specialist to be able to protect endpoints. The same has happened in many other areas. Your only choice is to become a "serial specialist" if you want to keep up, compare it to a triple major in college, and study never ends. But that is also the attraction, never a dull moment!!  

That's a good point Stu, there seem to be so many different areas of IT specialization nowadays. It's interesting also that the newsletter has attracted such a wide range of readers over the years. TechGenix did a reader survey shortly after my wife and took over as editors in 2012 and they found that about one-sixth of those who had subscribed to WServerNews were sysadmins, about one-sixth IT managers, about one-sixth consultants, and the remainder split between senior IT staff, network admins, owner-operators, CEOs, CIOs, security analysts, specialists, developers…wow. Congratulations on creating a newsletter that has attracted such a wide range of readers! Any trick how you did it?

That was 15 years of hard work in both the areas of marketing and writing newsletters I'm afraid. In the early days of the Internet when opt-in and opt-out simply did not exist, software developers gave me their customer databases and gave me the OK to send the newsletter to them weekly. And I am still writing a weekly newsletter called Cyberheist News that you can subscribe here:
http://www.wserverne...o/1412326616455

I'm sure our readers have appreciated all of your hard work over the years! Let's move on though and talk about the future. What do you think are the most significant trends in coming in business computing over the next few years? And how do you think these trends will impact the IT profession as we know it today and especially IT pros who work with the Windows Server platform? Feel free to be wordy here and let us know what you see in your crystal ball...

Hah, I used to do a crystal ball issue once a year, first week of January. That was the shortest newsletter but it was the most work!! First of all, cybercrime and cyberwar are escalating. Many people in large companies, the government and nationwide infrastructure IT are now in the front lines of international hacking attacks sponsored by nation-states. And the rest of us are under constant attack by a very well-funded eastern European cyber mafia.

The irony is that the Windows platform has become the standard, and thus is also the most attacked. Both cybercrime and spy agencies are hoarding hundreds of 0-day threats that they can pluck out of their black bag when they need to get into a network. The biggest change for IT pros that I predict is the change of perspective from: "We can defend against an attack" to "We already have been penetrated; we need to protect the data and get the hackers out". This is a sea change in the way you approach the hacking problem.

What sort of things can IT do if their organization's systems and data has been penetrated? I thought the only answer was to "nuke and pave"?

You need next-generation breach detection. These tools solve, in essence, a classic big-data problem. To be effective, these tools need to analyze a great variety of data in high volume, and at great velocity, to determine potential breaches. Most important, the tools must be precise; too many false positives and their reports will quickly be ignored, which is what happened at Target. A new crop of next-generation startups are working on this, for example:

Aorato
http://www.wserverne...o/1412326635002

Bit9
http://www.wserverne...o/1412326640034

Cybereason
http://www.wserverne...o/1412326644190

Exabeam
http://www.wserverne...o/1412326648221

Fortscale
http://www.wserverne...o/1412326652768

LightCyber
http://www.wserverne...o/1412326656971

Seculert
http://www.wserverne...o/1412326661846

Vectra Networks
http://www.wserverne...o/1412326665877

Fascinating, I'll have to check those out. Let's finish off by letting you tell us about some of the ventures you've been involved with since you stepped down from editing WServerNews. What are you up to these days?

During the 2007-2010 period when we built VIPRE Antivirus, we found out that most malware infections ware caused by the end-user being social engineered. So when Sunbelt was acquired by GFI in 2010, I already had an idea for a new company that would provide "new school" security awareness training, built from the IT security perspective instead of just being checkbox compliant. That was why I started KnowBe4:
http://www.wserverne...o/1412326671143

and teamed up with former hacker (The World's Most Wanted) Kevin Mitnick to create a brand new way for system admins to keep their users on their toes with security top of mind. Things have gone great with KnowBe4, we are in our third year with almost 20 employees and over 700 enterprise accounts using the training.

Sounds great Steve and good luck on all your future endeavors!

Thanks very much Mitch!

About Stu Sjouwerman

Stu Sjouwerman (pronounced "shower-man") is the founder and CEO ofKnowBe4, LLC, which provides web-based Security Awareness Training (employee security education and behavior management) to small and medium-sized enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc 500 company Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced security awareness training. KnowBe4 services hundreds of customers in a variety of industries, including highly-regulated fields such as healthcare, finance and insurance and is experiencing explosive growth with a surge of 427% in 2013 alone. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses.

 

-----------------article endquote------------------------------

 

Great stuff

[Rossman01]

News from my Favorite Security Expert, Stu.

 

 

 

Scam of the Week: "Whatsapp Gold" & Security News Roundup

A new scam is doing the rounds that may hit your employees soon. I suggest you send them a warning about these types of scams. Feel free to copy/paste/change this and blast to everyone, especially if they use company-provided smartphones.

"Many of us use texting apps too quickly get word to someone, both private and in business. Cyber criminals have released a fake "Gold Edition" version of the very popular Whatsapp messaging app, and it is being pushed via social networking websites. This bogus version promises exclusive features like custom backgrounds and emoticons, but it actually subscribes you to high-cost messaging services that rips you off with $2 per text you send.

"This may also happen with the current texting-app you use, so do not fall for hacker tricks like this, which either drive up your phone bill, or download spyware or ransomware to your phone. The bad guys try to scam as many people as they can and promote that the app is available for both iOS and Android.

"Remember, legit smartphone apps do NOT ask for your mobile phone number and/or any other personal information so never give this out. Think before you click (or tap)!"

Why All This Russian Cybercrime? Explained in Five Minutes...

(This may be something interesting to forward to your friends!)

We all know that a large amount of cybercrime originates in Russia and other eastern European countries that were former USSR satellite states. But why is that?

I decided to dig into this and did some research which turned out to be eye opening. One of the most fascinating sources of reliable information was a book called Putin's Kleptocracy: Who Owns Russia? by Karen Dawisha, professor of Political Science at Miami University.

Why cybercrime is so widespread in eastern Europe is closely connected and date-coincident with the rise of Vladimir Putin to Russia's autocratic leader. If this all sounds too unreal, I assure you it's the unpleasant truth.

I'm going to give you a very, very short summary of what happened, so you get the big ugly picture. Putin came up in the 1990's in the KGB in Leningrad, and was also stationed in the German town of Dresden as a recruiter for agents, and obtaining high-tech secrets from the West. Yup, Putin was a spook stealing Western high tech intellectual property.

He created his personal network in Leningrad (renamed to St. Petersburg), consisting of political allies, his personal security people, and Russian Organized Crime (OC). The group he has around him today, is the same group that brought him to power.

At the onset, Putin and his circle wanted to create an authoritarian regime, (call it a modern Stalinism really), ruled by a close-knit cabal with the interest to only enrich themselves, and not create a real democracy. The cabal consists of former KGB, mafia, and political and economic forces that joined together. They claim to be devoted to Russia and did this to save her, but they are more devoted to their personal survival and prosperity. The whole enterprise is being bolstered by high oil prices and state control over almost the entire media space.

It started out with the KGB moving all the Communist Party's vast financial reserves offshore, absorbing the Russian mafia and using them for black ops as a price for operating on Russian territory. At the same time, the KGB created hundreds of companies and several banks inside and outside of Russia to launder money. Good examples are the Bank Russia, and energy company Gazprom. Putin's cronies were put in charge of many of these, and many of these people have become billionaires. Their price? Total loyalty and like the mafia, silence: "Omerta".

While moving all this money abroad, the KGB found themselves using the same channels as the mafia for their illicit gains, and these funds started to get mingled up to a point where it was no longer possible to tell which monies belonged to the KGB and which to the mafia. So, when more or less spontaneous privatization began to occur through Russia, the KGB and the mafia was given a head start.

To make all this happen in an invisible way, a top-down corruption scheme was hatched that truly starts with Putin and then goes all the way down to low-level government employees. You only get into Russian government by paying for it, and then get rewarded via "tribute" payments. The system put in place by Putin causes the Russian economy to be badly hamstrung because their is no technical innovation, except in cybercrime where the criminal innovation is furious.

Russia scores very high in overall education, but the well-trained young graduates only have three choices: go abroad, start working for the corrupt government, or go into cybercrime. The third option pays very, very well and many take it.

The long and short of it is that organized crime in Russia is being allowed to operate, and has moved into cybercrime in a massive way, ransomware like CryptoLocker and CryptoWall being a good example. Now and then the cyber mafias are used by Putin as a resource to harass countries that get into his way. The same is more or less the case in countries like the Ukraine, where cybercrime has become a measurable percentage of their gross domestic product.

Since they are thousands of miles removed, the major ways these bad guys can penetrate your systems are limited:
   1) Badly configured servers and workstations
   2) Known and unknown vulnerabilities in software
   3) Social engineering
 

 

-----------------------That's it in a nutshell - and Scary stuff - 

 

Stay aware and keep secure, my friends,

 

Rossman

[Rossman01]

Good morning PHF guys,

 

I love this stuff it's so interestingly "Scary" - Check out the latest from the best security news guys around... knowbe4.com

 

Rossman

 

New Ad-borne CryptoWall Ransomware Claims Fresh Victims

The phones have been ringing off the hook here at KnowBe4. Not customers of ours but people who were hit with CryptoWall V2.0, needed Bitcoin urgently, did a websearch and wound up with us because of our crypto-ransom guarantee.

The folks at Proofpoint just wrote a long blog post explaining exactly why this is. In a nutshell, CryptoWall V2.0 now uses poisoned ads on dozens of major sites like Yahoo, AOL and Match.com to infect networks. Malicious ads are nothing new in themselves, but second-gen ransomware using them is worrisome.

Proofpoint said: "The sites themselves were not compromised; rather, the advertising networks upon which they relied for dynamic content were inadvertently serving malware". This means a so-called drive-by-download where the user does not have to click on anything. Up to now, CryptoWall was spread via spam with infected email attachments and download links sent by the Cutwail botnet.

The website visitors hit by this malvertising are people who run unpatched versions of Adobe Flash. The poisoned ads silently ‘pull in' malicious exploits from the FlashPack Exploit Kit, hence the "drive-by-downloads".

According to security researchers at Dell SecureWorks, more than 830,000 victims worldwide have been infected with ransomware, a 25% increase in infections since late August when there were 625,000 victims.

The first ransom usually has a deadline of 4-7 days and demands about $500. Even the bad guys understand it's not always easy to get your hands on Bitcoins quickly. But when this first deadline is not made, the ransom doubles to roughly $1,000, depending on Bitcoin exchange rates.

Counting the ransom payments to CryptoWall's Bitcoin addresses, Proofpoint estimates that the attackers make $25,000 per day. Recent data taken directly from the CryptoWall ransom payment server shows since August 2014 an additional 205,000 new victims have been claimed.

Here are 5 suggestions on what to do about it:

1.     Do not use mapped drives, period. Use UNC names instead to connect to servers. Apart from close to real-time (snapshot) fileserver backups I also strongly recommend to deploy ad blockers for all the browsers in your organization if you have not already done so already, or make sure you use endpoint security that has ad-blocking built-in.

 

2.     Continue to focus on all endpoints being fully patched, Windows and all third party apps. Also, configure endpoint browsers to only execute plug-in content when clicked rather than automatically. Uninstall apps that are not absolutely needed, make your attack surface as small as possible.

 

3.     Some browsers like Google Chrome and Mozilla Firefox allow you to enable click-to-play for plug-in based content, which can stop the automatic execution on exploits that target browser plug-ins. Deploying a whitelisting product on all machines is also something you could look at, whitelisting will stop ransomware cold.

 

4.     Technologies for lifecycle malware detection carry different names, including targeted threat protection (TTP), targeted attack protection (TAP), and "click-time link scanning". Whatever you call it, you want it in place.

 

5.     Having an Acceptable Use Policy (AUP) in place that forbids employees to use their machines for private browsing and have an edge device that blocks selected groups of websites (like all social media) is also something you should have in place.

You could also open an account with coinbase.com, get approved, (takes a few days) create a wallet and buy a few Bitcoin just to have them in case you get hit and your backup fails.

And obviously stepping all employees through effective security awareness training is a must these days. Find out how affordable this is for your own organization. Click on the link and get a quote:
http://info.knowbe4....omware-14-10-28

[hyipsurvival]

thanks for sharing Rossman! 

[Rossman01]

I have missed a couple of these newsletters - but they really are super informative - I hope you like them as much as I do - Here is this weeks big Sneaky Phishing trick....

 

Scam Of The Week: "Shipping Problem "

We have Black Friday and Cyber Monday behind us. After losing ground to online competitors, brick-and-mortar retailers have struck back with incredible online deals. Wal-Mart said Thanksgiving was its second biggest day ever for online sales and Target's online buying was up 40% over last year.

This is the time of year that people buy new smartphones, TVs and new game consoles because they are able to get killer deals and now they are dying to get their hands on these new goodies.

What you may not know is that similar to a magazine's editorial calendar, criminal hackers have a "scam calendar" which focuses on events exactly like this. They have campaigns planned and ready to roll starting TODAY for the rest of the month.

These malware campaigns do not discriminate between the home and the office. Roughly a billion of these criminal emails are sent each day. So, I strongly recommend you send this to your users today. Feel free to edit any way you like:

"Scammers are preying on people that have just made a lot of online purchases on Black Friday and Cyber Monday. There are several scam campaigns being sent right now.

1.    Be on the lookout for "Shipping Problem" emails from from FedEx, UPS or the US Mail, where the email claims they tried to deliver a package from (for instance Apple Computer) but could not deliver due to an incomplete address. "Please click on the link to correct the address and you will get your package." If you do, your computer is likely to get infected with malware. Warn everyone in the family, especially teenagers.

2.    Watch out for alerts via a TEXT to your smartphone that "confirm delivery" from FedEx, UPS or the US Mail, and then asks you for some personal information. Don't enter anything.

3.    And to reiterate a warning we sent out a few weeks ago, there is a fake refund scam going on that could come from a big retailer. It claims there was a "wrong transaction" and wants you to "click for refund" but instead, your device will be infected with malware.

Especially in these times, Think Before You Click!"

PS: If you are a KnowBe4 customer, this would be a good time to send the "Package Could Not Be Delivered" template from the Online Services section to keep your users on their toes. If you aren't a customer yet, you can create a free account and send a simulated phishing test to 100 of your users and see what the Phish-prone percentage of your organization is. Create your (did I say free?) account here:
http://info.knowbe4....y-test-14-12-02

Sony The First To Be Hit With Destructive Payload

Sony has been hacked several times, and should have learned their lesson a while ago, but no. This time it is really bad though. Late yesterday the FBI warned U.S. business that the hackers used malware with a destructive payload to bring down Sony Pictures Entertainment.

Sony Pictures is in digital lockdown while it investigates a breach in which intruders reportedly stole more than 200MB of data and defaced employees' workstations. Sony Pictures staff are being asked to disconnect computers and personal devices from the network and to shut down VPNs.

The five-page, confidential "flash" FBI warning issued to businesses late on Monday provided some technical details about the malicious software used in the attack. It provided advice on how to respond to the malware and asked businesses to contact the FBI if they identified similar malware.

The report said the malware overrides all data on hard drives of computers, including the master boot record, which prevents them from booting up. Sony has hired FireEye Inc’s Mandiant incident response team to help clean up after the attack, a move that experts say indicates the severity of the breach.

Sony is investigating to determine whether hackers working on behalf of North Korea are responsible for the attack. This would be revenge for the company’s backing of the film "The Interview" which comes out Dec. 25. it's a comedy about two journalists recruited by the CIA to assassinate North Korean leader Kim Jong Un. The North Korea government denounced the film as "sponsoring of terrorism" in a letter to United Nations.

The technical section of the FBI report said some of the software used by the hackers had been compiled in Korean, but it did not discuss any possible connection to North Korea. More at Reuters who got their hands on the FBI report:
http://www.reuters.c...N0JF3FE20141202

 

And now this!!!...................

 

 

Do Not Charge Your E-Cig In The USB Port

This blog from the Jester shows that while charging an e-cig using your USB port, a TCP connection opens up to Chinese IP space, from a service or persistent process that is present on most Windows PC’s that resides in a well-known area of a Windows filesystem. He's got a picture with the port number. When he unplugs the charger, the port closes. Scary if this is actually going on:
http://www.jestersco...he-chinese-pla/

 

 

That's the good stuff for now - Enjoy!!

 

Rossman