Erich’s “What in the (cyber) world is going on?” 11-28-16 edition

i-regret-nothing-nothing_7853

I hope everyone had a great Thanksgiving weekend, US peeps or not. I’ve been a bit busy working on my Raspberry Pi powered music-synced Christmas light project and have made some headway in that department. It’s going to be fun seeing if I can muster the time to get that up and running. That being said, let’s move on to events of the last week or so:

San Francisco’s SFMTA (San Francisco Municipal Transportation Agency) Popped with Mamba Ransomware

Sucks to be them. Word is over 2112 machines were impacted by the MBR encrypting ransomware. Customers got free rides since the ticketing system was offline and they couldn’t just shut down the system. On a another note, the uber-cool Javvad Malik was quoted in the article as well.

 

father-frost-566x1024

 

Santa (well, the Russian version) got hacked

It looks like a bunch of kiddo’s that just wanted new toys, or food, or heat, or whatever in Russia have had their info (name, address, phone#, etc.) posted online thanks to 55 compromised websites. Oops. Just a friendly reminder to be careful what info you put out there. I’m not sure why the sites would need all this info as Santa already knows where everyone is (perhaps the Russian version is behind the times?) and what they want. The dude is kind of creepy and looks like he belongs in a windowless van with “Free Candy” written on the side of you ask me, but I’m just one guy.

 

 

 

Homeland Security Chief Cites Phishing as Top Hacking Threat

Looks like my message got through to Jeh Johnson as he stated that phishing is the top hacking threat. Not groundbreaking I know, but it’s nice to see the leadership acknowledging it. I’m sure he heard it from me and I’m available for interviews if you need me.  😉

 

Madison Square Garden Was Breached… For a Flippin Year.

So, yeah, “Cards used to purchase merchandise and food and beverage items at Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater and Chicago Theater between Nov. 9, 2015, and Oct. 24, 2016, may have been affected“. C’mon man!  SMH

 

UPCOMING STUFF:

So, I figured I’d put this out there as a shameless plug for my, myself and I. These are the things I’m up to in the next week or 2:

As always, if you have an event and need a speaker that can talk about ransomware, phishing and other similar fraud, let me know.

 

Have a great week

It’s that time of year – Beware of scammers more than ever

nigerian-scam-t-shirt

As we roll in to Black Friday here in the US, the scammers are not taking any time off. In the hype of “too good to be true” deals, scammers operate more easily. After all, “70% off an iPhone” doesn’t raise an eyebrow this time of year. In addition, emails about a delayed shipment or something similar, will be hitting pretty hard.

Make sure that you hover over links in emails with your mouse (<- good info there!), to make sure you know where the link is actually taking you. When in doubt, go to the page directly and do NOT open attached emails.

Stay Safe everyone!

Erich’s “What in the (cyber) world is going on?” 11-21-16 edition

So, yeah… I’ve been away for a bit. Been a pretty crazy last few weeks with a lot of traveling and some illness tossed in for good measure. Hanging out in “germ tubes” (some people call them airplanes) may have caught up with me, but things have not stood still, so let’s get started…

 

There was this election thingy.

Some folks are too happy, some are too sad, I for one am thrilled that the TV commercials are done. I spent about a week peeking in to Facebook and leaving quickly to avoid the drama. It’s dropped off a bit (for me it seems) but there is still a lot of emotion going on. What does that mean? Phishing emails.

Any time there is an emotional or controversial event, expect that the bad guys are going to try to capitalize on it, and be careful what you click on. In addition, the light has been brought on a number of fake news stories and other clickbait. Do your part to remain calm when you read something and make sure clicks are taking you where you want to go.

 

Black Friday

I’m already seeing a number of reports of Black Friday themed phishing emails going around. Be careful, if it looks too good to be true, it still might be even with BF going on. Hover the links and look at the reply addresses.

 

Crysis decryption keys posted

And in some good news, it looks like these folks have taken their ball and gone home. If you were hit by Crysis ransomware, check out BleepingComputer for a possible key. There is more on this in the KnowBe4 blog post today.

 

Madison County Indiana had a crappy week

The folks in Madison County Indiana has a pretty lousy time when they got hit by ransomware and were down for about a week. It only impacted little things like, you know, the jail and stuff. here are a couple of my favorite quotes from the stories I saw:

Herald Bulletin

Lisa Cannon, director of the county’s IT department, said the county will make sure the system is secure before new data is placed in the system. “We’re in the process of adding a backup system,” she said.

Infosecurity Magazine

“…both first responders and civic officials are logging all calls for service by hand. Anderson Police, the Madison County Jail and the county court systems are locked out.”

“On the sheriff’s office side, we cannot book people into jail using the computers. We are using pencil and paper like the old days.”

I’m thinking they should train their users as well.

 

New strain uses Social Media profile of victim

The folks at ProofPoint found a new variant of a browser locker called Ransoc that uses social media information to add credibility to a totally BS extortion attempt. According to multiple FBI Special Agents I have done presentations with, they will never notify you that you should pay a fine like this. They prefer the old knock on the door and show a badge method. Besides that little detail, I do like the ol’ “All money will be refunded to you if you are not caught again within 180 days.” touch. Nice try.

ransoc-5

 

That’s about all I have for today. Take care and be safe

Erich’s “What in the (cyber) world is going on?” 10-24-16 edition

lawnmower-man-1992-special-effects-jobe-computer-version-ending-review

Dyn Gets DDoS’ed

So, yeah. Dyn had a bad day on Friday as they were the victim of a massive DDoS attack. It’s likely that this is another DDoS using IoT devices to flood a service. It seems that I did not just imagine my toaster telling me, “My birth cry will be the sound of every <I.T. helpdesk> phone on this planet ringing in unison” last night. I am going to have a stern conversation with it when I get home from work and cancel my order of the internet connected bidet. No good can come from that. In the meantime I have dealt with the lack of Twitter by writing short notes on mini post-its and sticking them to the outside window of my office. I have very important things to say after all.

 

India Has Some Banking Stuff Going Down 

Axis Bank, the third largest private bank in India, dodged a bullet when Kaspersky Lab was nice enough to give them a call to let them know that a bad guy was in the system. It looks like they caught it quickly and no funds were lost. While it’s akin to another person telling you your fly is open, it beats having your pants fall off completely.

India’s largest bank, the State Bank of India (SBI), announced it had blocked over 600,000 debit cards used at non-SBI ATMs, which the bank suspects were infected with ATM malware. This incident seems to be related to malware found on another ATM network last month. While good in practice, it might have been wise to tell people they were doing it. It seems a few folks were kind of caught off guard when they suddenly couldn’t pay for stuff. Always an awkward feeling.

 

KnowBe4 Blogged About a Cool Phish

If you want to see a pretty complex attack, check out the blog. It was done by simulating a forwarded Microsoft patch notification message to some users. Pretty convincing really and has a twist at the end.

 

London is Being Targeted by Ransomware

It seems London is the European place to be for the Ransomware elite. At least they are certainly trying hard to get there. According to Malwarebytes, London had 670% more ransomware attacks than the #2 target, Manchester. Lord Voldemort was unavailable for comment.

While London is my favorite city in the world, what with its annual Christmas alien invasions, car melting buildings and now this, it seems a downright dangerous place to live.

 

A Brit Gets Another Year Older

In what might be the most important news of the week, Javvad Malik (@J4vv4D) is another year older today. When you reach his age, each birthday is worthy of great celebration. Happy Birthday to you Javvad.

 

Some Bad Guys Get Nabbed

2 Romanian citizens got prison time for laundering money made with the Dridex banking trojan. One of them received almost years and the other 7 years in prison. This historic event is expected to reduce Dridex-related cybercrime by a whopping, “NOT AT ALL”. Oh well. A token victory is still a victory.

 

ICANN has Completely Lost Its Mind

ICANN has decided that having domain names ending in such things as .EXE, .PDF, .DOC, etc. is just fine. I believe they have been sniffing the glue again. This is such a bad idea, it is mind blowing. Go home ICANN, you are obviously drunk.

Madsqu1rrel’s What in the (cyber) world is going on?” 10-17-16 edition

Samsung

Samsung finally threw in the towel in on the ill-fated Note 7, but not before Oculus made quite the statement by disabling the use of Note 7’s in the Gear VR headset they make for Samsung. It seems they don’t want it to blow up in someone’s face. Pretty wise move if you ask me. Oh, it’s also banned on US flights now, periodSamsung is offering folks $100 toward a new phone when they trade in the Note 7 for something less blow-upie. If you don’t trade for another Samsung device, you still get $25 for risking your life and sacrificing your humility. On a plus note, we got this awesome story out of the ordeal:

Archaeologist: “First Humans Used Primitive Samsungs To Start Fires”

cavephones-800x0-c-default

Scams
The KnowBe4 Scam Of The Week is… drum roll please… “Insidious New IRS Social Engineering Attack“. This attack is a social engineering scam that will work to bilk you out of your hard earned money by convincing you (or elderly people in your life) that you owe the IRS money. Read the article for more detail, but the short of it is, if you or a loved one gets an IRS CP 2000 form claiming the income reported on your tax return does not match the income reported by your employer, just can it. If that won’t let you sleep at night call the IRS at 1-800-366-4484 to confirm (preferably from a pay phone in a neighboring county, just in case it’s true).

Another hot scam this week is: “Brad Pitt Found Dead (Suicide)“. This headline drew gasps from the ladies here when they heard it, so I guess it does tug at some heartstrings as intended. I must be dead inside, cuz I wouldn’t even bother to click on that headline. For the record, Mr. Pitt is NOT dead and Angela appears to still be single, good news for both housewives who love Brad and those geeks who are reading this that are planning to emerge from their lairs (a.k.a. Mom’s basement) in an effort to woo Ms. Jolie. I hear even the “400lb hacker” is making plans. Good luck my friends!

I had already sent out some warning, but it seems the US-CERT was listening to me as they published their own warning about Hurricane Matthew phishing scams. It’s not rocket science folks, when something major like this happens, the scammers are going to leverage it for their gain. They will use it to get folks to click on links or open documents, all of which lead to bad things. If you want to donate or help, go to the website of a reputable organization or at least don’t do it via any contact information in an email. Go search the org and contact them that way.

Yahoo!
Because! we! Just! can’t! get! enough!, Yahoo! just got cheaper. Well, they think it is going to get cheaper by like a BILLION DOLLARS! Check your couch cushions folks, it’s ALMOST affordable. According to the WSJ, this may equate to a material adverse change (ya think!?) and Verizon is expected to smack Yahoo! about the head and shoulders (financially speaking) for not not disclosing that little, um… oversight. “Oh, that half a billion (or more) records we lost?” Very likely this was a result of a phishing attack letting the bad guys in the network. Whoops.

Ransomware
CryPy is a new variant of ransomware that is designed to make life suck. While that is typical of other variants, this one is Python-based, stops services you might need to save your bacon (Registry Tools, Task Manager, CMD, and Run) and then encrypts your files. So, it’s not done yet. It encrypts each file with a unique key then tells you it will start randomly start killing off a file every 6 hours. After 96 hours it deletes the decryption key, effectively taking it’s ball and going home. It’s rumored to feed off Bitcoins and tears, one of which it will likely get either way. Still in it’s early stages, its not very prolific, but we want to keep an eye on this. Since C&C seems to be in Israel, Geo-blocking might help for now if you can do it.

Other News

There was a privacy breach at a Vancouver pot dispensary revealing medical info (and the fact that you use a dispensary). Dude… harsh man.

Have a great week and stay safe out there

Erich’s “What in the (cyber) world is going on?” 10-10-16 edition

Samsung

Samsung continues its full frontal attack on the masses. First it was Note 7’s spontaneously catching fire, then it was washing machines exploding. Now it’s the replacement Note 7’s continuing their reign of flaming terror across airports and homes across the country.

The Samsung “Smart Home” is turning in to more of a Halloween Home of Horror. Keep an eye on those fridges ya’ll!

Ransomware

We saw some new ransomware activity last week. This stuff doesn’t necessarily encrypt the files, but renames them and demands a ransom to restore them. In addition, it spreads like a worm by infecting executable files. Not cool man, not cool. While it does seem to have a bit of an identity crisis (am I worm? Am I ransomware? I have no idea!) it’s something to keep an eye on either way. More info: https://blog.knowbe4.com/cyberheistnews-vol-6-40-this-weird-ransomware-strain-spreads-like-a-virus-in-the-cloud

Yahoo!

Let’s just face it, if you have ever had a Yahoo! account, used a Yahoo! search engine, uttered the word Yahoo! or even heard of Yahoo!, you can assume you have been pwned. Just change all of your passwords, rename your pet and have your mom change her maiden name because nothing is safe anymore. 1 billion accounts… sheesh.

Imagine for a moment how this would impact us all if these sorts of things happened with authentication methods such as biometrics that you can’t change. Something to consider as we start going down that path. Who would you trust with that data?

Scams

There is a scam going around claiming to be from the IRS (shocking, right?) using a phony Form CP 2000 in emails, text messages, live calls and perhaps even snail mail, associating itself with the Affordable Care Act. Warn your folks and tell them they can call the IRS at 1-800-366-4484 to confirm if it’s legit.

Hot Topic Phishing

Remember that when something major happens in the news (debates, attacks, deaths, product launches, exploding “smart” devices, etc.) there is an inevitable phishing campaign soon to follow. Keep an eye open for these and warn your family and users. Don’t be a victim lest you be the subject of the next campaign.