Non-malware attacks surpassed malware as hackers’ weapons of choice in 2017 https://t.co/1oLTkjV2aG via @TEISSNews
— Madsqu1rrel (@ErichKron) January 5, 2018
from Twitter https://twitter.com/ErichKron
Non-malware attacks surpassed malware as hackers’ weapons of choice in 2017 https://t.co/1oLTkjV2aG via @TEISSNews
— Madsqu1rrel (@ErichKron) January 5, 2018
from Twitter https://twitter.com/ErichKron
Server Cryptomix Ransomware Variant Released https://t.co/WLpwVS3kdw
— Madsqu1rrel (@ErichKron) January 5, 2018
from Twitter https://twitter.com/ErichKron
Breaking News: Drilling a 2.5mm hole all the way through Intel CPUs right at the top of the “t” will solve any “Spectre”/”Meltdown” issues you may have http://pic.twitter.com/xo3f5MutBc
— Madsqu1rrel (@ErichKron) January 4, 2018
from Twitter https://twitter.com/ErichKron
Florida Oncology Company to Pay $2.3 Million After Data Breachhttps://t.co/w309JADpYZ
— Madsqu1rrel (@ErichKron) January 4, 2018
from Twitter https://twitter.com/ErichKron
Tax scam alert: the IRS just issued a new cybersecurity warning https://t.co/neRHYYPDCO
— Madsqu1rrel (@ErichKron) January 4, 2018
from Twitter https://twitter.com/ErichKron
ATM skimmer steals from nine customers at Louviers FCU https://t.co/n3zUGGdKsN
— Madsqu1rrel (@ErichKron) January 4, 2018
from Twitter https://twitter.com/ErichKron
Got a call from someone last night who had a friends org hit with ransomware, including their backups.
Please folks, follow a 3-2-1 backup program. Make sure 1 copy is offline. I hate seeing that happen
— Madsqu1rrel (@ErichKron) January 4, 2018
from Twitter https://twitter.com/ErichKron
Not typical. This was an employee browsing records of patients with a controlled substance abuse prescription & primary care physician in the St. Louis area. SSM is notifying all patients the employee accessed even as a result of legitimate job functionshttps://t.co/ZhhIifzDIU
— Madsqu1rrel (@ErichKron) January 3, 2018
Brea
from Twitter https://twitter.com/ErichKron
Having survived the challenges in 2017 I’m sure we’re all looking forward to a bit of a rest, however that is not in our future. It does help to be prepared for what’s coming and that’s why I want to talk a minute about W2 fraud. As we enter the first quarter of 2018, you need to be aware of this, and know how to combat it.
What is W2 Fraud?
W2 fraud is related to CEO fraud, a.k.a Business Email Compromise (BEC). While CEO fraud happens throughout the year for reasons that will become obvious, W2 Fraud happens primarily in the first quarter here in the US. To put it bluntly, W2 fraud is where somebody pretends to be someone in leadership in an organization and targets someone, usually in HR or payroll and tricks them into sending them the employees tax statements. This type of attack is almost exclusively done through email phishing, however we can expect to see some cases of the bad guys leveraging a 2nd type of attack, such as SMS phishing (smishing) to improve their odds of success.
How does it work?
In its most simple form, the attackers will craft an email message with a spoofed (faked) “from” address. This message will request that the victim of the attack send them the W2 tax forms of all employees, usually in a .PDF document. This message will look legitimate on the surface and may even include the signature block from the sender or other similar traits to make it look legitimate. There will often be a sense of urgency in the message to get the victim to send the data quickly without giving them a chance to check on the legitimacy. In addition, more often than not, an attacker is ready to reply almost immediately to any questions posed in an email reply to the initial request.
Once the attackers have the tax documents, they almost immediately file tax returns on behalf of the employees. As you can imagine, these tax returns always result in a refund. Then, when the employee goes to file their taxes they find out that this has already been done for them. This causes a lot of additional work, delays in receiving their actual refunds and the involvement of law-enforcement and the Internal Revenue Service (IRS). To add insult to injury, the attackers then often sell this information on the dark web. Because it includes sensitive information such as Social Security numbers and salary information, this data is great ammo for identity theft.
Examples
Below is an example of a real attack that targeted us here at KnowBe4 and a breakdown of ways they try to make this look legitimate. This is a very typical kind of W2 fraud phishing email.
As you can see the example above, the focus is on making this look legitimate and getting the person to act very quickly. Here are the different elements broken down.
Another Example
This one is a little less common, however very simple and effective. Essentially, it’s a lead-in to the above example and sets the tone a little stronger. In this case it’s made to appear that the victim missed an earlier email from senior leadership. Once the victim replies to this message saying they did not get an earlier email, the follow up emails would be very similar to the one above however will have a more aggressive tone as they have now made the victim assume they have messed up and missed the initial email request. This puts a lot of pressure on the victim. In a larger organization where employees don’t typically interact with senior leadership, this can put the victim in a very stressful situation and make them unwilling to question the request. Again, this is an actual email we received here at KnowBe4.
Hybrid Attacks
I mentioned earlier that we can expect to see times where the attackers leverage other types of attacks. Imagine getting one of the above emails followed by a text message from the boss requesting the same thing. This would be a hybrid attack leveraging something called “smishing” (SMS phishing). We’ve all seen or heard of text-messaging based attacks, usually in the form of a text message from a financial institution requesting some sort of account validation or even the IRS threatening to arrest the victim. These attacks are not difficult to perform but can be very effective when combined with an email message like that above.
Defending Against These Attacks
When defending against this type of attack, it’s important to have good email filters in place to hopefully block them before they ever reach the victims. Unfortunately, even the best technology these days struggles to detect and stop these very targeted attacks. They do much better at stopping blanket phishing emails than this sort of thing. Antivirus or endpoint protection really does nothing against this type of attack as there is no malware involved. That leaves you with non-technical solutions in order to make the best impact against these attacks.
The first thing to do is to make sure that everyone, especially the senior leadership and folks that deal with this sort of information, are aware of this type of attack and how to spot it. This is where a good security awareness training program really shines. Because this type of attack is so similar to CEO fraud (a.k.a Business Email Compromise or BEC), that training does double duty when it comes to protecting the organization. Potential victims and senior leadership having a good knowledge of this type of attack and how effective it is will go a long way toward getting the second part of your defense established.
That second part of the defense is to have a strong policy around handling large amounts of money or sensitive information. I like to call this the “pick up the phone first” policy and it amounts to exactly that. The policy should state that prior to sending any large amounts of sensitive information or transferring large amounts of funds with short notice, verbal (not text messaging or email) contact will be made with the requester to validate the request. Furthermore, the recipient of the email making the request should not use any phone numbers included in the requesting email to make the phone contact. They should instead use something like an internally published phone list or a known phone number to make the contact. This keeps the attacker from planting a phone number in the email, making the victim call them for confirmation.
This simple “pick up the phone first” policy and the associated training and awareness behind it, can make a huge difference when it comes to protecting your organization against this sort of attack.
More Info
If you would like to get more information about training your staff to be able to identify this attack vector, check us out at https://www.knowbe4.com. We have a lot of free resources and tools help you stay protected as well as an industry leading security awareness training and simulated phishing platform that you can use to educate your employees on how to spot the latest cyber threats and stay safe online.
Jason’s Deli investigates possible data breachhttps://t.co/a7gUD5WGKU
— Madsqu1rrel (@ErichKron) December 29, 2017
from Twitter https://twitter.com/ErichKron