Fraudsters Exploit Hurricane Matthew to Create More Victims

Hurricane Matthew is over — having been officially downgraded on Sunday — and a clearer picture of the aftermath has begun to emerge. More than 1,000 people were killed by the hurricane, including at least 35 in the United States. Although the storm has moved out to sea, flooding continues here in the U.S., and in Haiti, which was hit hardest by the storm, officials are warning of the possibility of starvation and the spread of Cholera.

With the world’s attention focused on the natural disaster, cybercriminals are once again capitalizing on the devastation with a wave of phishing attacks and other scams. The South Carolina Emergency Management Division is warning Hurricane Matthew victims to be wary of any emails, phone calls and text messages — as well as scams impersonating one of the thousands of disaster workers expected to travel to the state.

US-CERT is also warning of deceptive donation requests that attempt to steal financial information from those who wish to help the victims.

HurricanePhishign.PNG
Alert from US-CERT

As US-CERT noted, this type of activity commonly occurs after natural disasters. Cybercriminals are always looking for new individuals to target, and national disasters provide a large bucket of concerned people that can potentially be exploited.

Similar warnings were issued following:

  • August flooding in Louisiana, which led to concern over fraudulent charity requests that attempt to steal personal and banking information or infect devices with malware.
  • The May wildfire in Alberta, Canada, which forced 90,000 people to evacuate and led to individuals impersonating evacuees and using fake websites and Go Fund Me pages to mimic disaster relief programs.
  • April floods in Texas, which FEMA warned would likely lead to scammers impersonating building contractors, FEMA employees, and volunteer groups in order to steal sensitive personal information.

“Fraud is an unfortunate reality in post-disaster environments,” said National Insurance Crime Bureau CEO Joe Wehrle in a press release warning of Hurricane Matthew rebuilding scams. “The last thing victims of disaster need is to be victimized again.”

As SurfWatch Labs noted earlier this year, social engineering is one of the most difficult problems related to cybersecurity. It’s also one of the most common tags in SurfWatch Labs’ cybercrime data.

2016-10-12_socialengineering
Email phishing remains the most common form of social engineering due to the ease of targeting a large number of potential victims.

Social engineers often use a few simple and effective tactics in order to dupe their victims. These include having a simple backstory, appearing as though they belong and projecting authority.

One of the reasons cybercriminals capitalize on events such as Hurricane Matthew is that it is very easy for them to use that trifecta of tactics. The natural disaster provides an instant backstory that is immediately understood by a large number of people. People are expecting to see a wide variety of victims and volunteers both seeking and offering help, so its easy for fraudsters to appear as though they belong. Victims are expecting to have to deal with authority figures, making it easy to impersonate government officials, insurance agents or other disaster workers.

Some tips to help stay safe when it comes to social engineering include.

  • Never click on links or open attachments unless you know who sent it and what it is. Malicious email attachments and links are among the most common ways for cybercriminals to spread malware and steal information.
  • Never reply to emails, text messages, or pop-ups that ask for personal information.
  • Cybercriminals may use a combination of fraudulent emails and phone numbers to increase their appearance of authority. Always verify that communication is valid by contacting the organization directly before providing any sensitive information.
  • If donating to a charity, make sure it is one you know and trust. The FTC recommends checking out charities via the Better Business Bureau’s (BBB) Wise Giving Alliance, Charity Navigator, Charity Watch or GuideStar.

Typosquatting: Easy Attack Vector That Produces Results

Every week here at SurfWatch Labs our team of threat analysts write about new vulnerabilities, malware developments and cyber-attacks.  One attack vector that is not mentioned very frequently but can be a significant threat for organizations and consumers alike is a technique called typosquatting.

Typosquatting is an attempt to trick users into thinking they have landed on their desired website, but in reality the user has landed on a website with a similar looking domain name that is controlled by cybercriminals. It’s an old technique, and security-conscious organizations often try to secure those domain variations that arise from typos.

However, a study last year described how companies remain vulnerable to typosquatting and found that most organizations do very little to protect their customers from the threat.

Key findings from the study:

  • Few trademark owners protect themselves against typosquatting by defensively registering typosquatting domains for their own domains.
  • The study found that 95% of the most popular 500 websites researched were targeted with typosquatting.
  • Hackers are increasingly targeting longer domains.
  • Some companies secure potential typosquatting domains but then choose not to renew them, leaving them vulnerable.

TypoSquatting Attack Example

A great example of a typosquatting attack was used against the popular online first-person shooter game Counter-Strike: Global Offensive. The hackers set up a convincing spoof, tricking gamers into believing they were on a legitimate site for the game. The fake site was listed as csgoloungcs.com, while the legitimate site is csgolounge.com.

Not only were visitors of the fake site tricked into sharing their login credentials, a Trojan downloader was pushed on them, leading to malware infections.

Another example found malicious actors taking advantage of the .om top level domain. Earlier this year, Netflix users who mistyped the address as netflix.om were redirected to a fake Flash update page.

Typosquatting is one example of the many opportunistic type of threats facing organizations. It doesn’t require sophisticated techniques, and it’s an easy way to leverage popular brands in order to entrap customers who aren’t aware of such scams.

Typosquatting scams can lead to a variety of consequences for users — from account takeover to identity theft — and those consequences can easily spill over to the organizations being impersonated in the form of disgruntled customers, bad press, or having to deny a breach when stolen credentials are put up for sale on the Dark Web.

All that trouble can be largely avoided by being vigilant about identifying common typographical mistakes related your organization’s domains and purchasing them to keep them out of malicious actors’ hands.

BEC Scams Continue to Plague Businesses

In a year where ransomware is receiving massive amounts of attention, there is another threat that continues to grow – Business Email Compromise (BEC) scams. The FBI has issued two warnings about this threat in 2016. The first warning was bad enough, with the FBI estimating BEC scams have accounted for about $2.3 billion is losses from 17,642 victims. Unfortunately, the latest warning has increased these figures.

The FBI is now saying that money lost from BEC scams is over $3 billion dollars, with more than 22,000 victims falling prey to this attack.

“The BEC scam continues to grow, evolve, and target businesses of all sizes,” the FBI warning read. “Since January 2015, there has been a 1,300% increase in identified exposed losses.”

The warning went on to say that victims of BEC scams have appeared in all 50 U.S. states as well as 100 countries throughout the world. Another noteworthy piece of information is where the money lost in these scams is ending up.

“Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong,” the alert read.

In most cases, a BEC scam attempts to portray an email or request as being urgent, placing pressure on the recipient to act fast without asking questions. The email is often sent from a legitimate looking source — such as a high-ranking company official or a bank that works with the company — which further eliminates questions from the recipient.

Money is the ultimate goal of a BEC scam. Many cases involve attempting to create a scenario where a money transfer takes place. The 2015 tax season demonstrated a new method for BEC scams — W-2 data theft.

Tax fraud was abundant in 2015. In many of these documented events, a BEC scam was used to compromise company W-2 information.

“Fraudulent requests are sent utilizing a business executive’s compromised email,” the FBI alert stated about BEC data theft scams.

“The entity in the business organization responsible for W-2s or maintaining PII, such as the human resources department, bookkeeping, or auditing section, have frequently been identified as the targeted recipient of the fraudulent request for W-2 and/or PII. Some of these incidents are isolated and some occur prior to a fraudulent wire transfer request. Victims report they have fallen for this new BEC scenario, even if they were able to successfully identify and avoid the traditional BEC incident.”

The alert from the FBI pointed out that BEC scams aimed at obtaining data first appeared during the 2015 tax season.

Employees are the primary targets of BEC scams. It is vital that employees understand the dangers of opening attachments from unknown sources. It is equally important that employees question unusual requests — like what you would see in a BEC scam email. Make sure employees understand that it is okay to ask questions before performing job functions, especially if that job function was requested via email. Before sensitive information is accessed, put in place checkpoints to make sure this information is only being shared with authorized and legitimate personnel.

What Can We Learn About Social Engineering From Impersonation?

With organizations losing billions of dollars due to business email compromise scams and thousands of employees having their W-2 information sent to criminals each week, it can be easy to think, “How can people be so dumb and keep falling for these same tricks?”

When it comes to socially engineering an employee, most people think of email phishing
— and last week we discussed some ways to defend against those threats — but I think the best way to truly understand those cyber threats is to first remove those technology aspects and look at one of the oldest cons around: impersonation.

I love a good impersonation story. Don a disguise. Create a good backstory. Trick some people into doing something they shouldn’t.

It makes for great drama.

Unsurprisingly, when researching how businesses are being compromised by social engineers, nearly all of my favorite examples involved the tactic. Impersonation stories are important because they highlight how simple and effective techniques can be used to lead to a major compromise at an organization.

For example, Christopher Hadnagy, CEO of Social Engineer, Inc., recounted on our social engineering podcast how two ticket-less fans were able to watch the Super Bowl from $25,000 seats by sneaking into the event with a group of first aid workers and then simply acting “super confident.”

Likewise, Chris Blow, a senior advisor at Rook Security, likes to pretend to be an exterminator to test a company’s security. In one instance, he was thwarted by a well-trained receptionist who noticed the con; however, all he had to do was drive around back and find more “helpful” employees — who then let him into sensitive areas where he could access a variety of valuable information.

They Literally Handed Him Their Money

My favorite social engineering story occurred decades before email became popular and everyone learned of the term “phishing.” It was done by conman turned FBI consultant Frank Abagnale, who claims to have duped dozens of individuals into handing him their businesses’ money simply by posing as a security guard.

As the story goes, Abagnale noticed how car rental companies would deposit their money in an airport drop box each night, so he bought a security guard outfit and put a sign over the drop box saying “Out of service, place deposits with security guard on duty.”

According to his autobiography, he stood there amazed as people handed him a total of $62,800.

You may hear that story and wonder why all of those people would trust some random guy with a sign. But is that any different than the cybersecurity pros today who are dumbfounded when a person gives their password to an “IT guy” over the phone? Or when an employee hands over their credentials because an email told them to do so?

Simple, effective scams work, have always worked, and when done in person by a skilled social engineer, can be even more effective.

Defending Against Social Engineering

What can we learn from these impersonators?

For one, social engineering is very effective, which is why the FBI and others are warning of a dramatic increase in business email compromise (BEC) scams. From October 2013 through February 2016, from just this one type of social engineering, there were more than $2.3 billion in losses across 17,600 victims.

Scam artists understand precisely how easy it can be to dupe people, and the same techniques are used in social engineering via phishing and phone. The story above is one of my favorites because Abagnale combines three of those common tactics in one scam: a simple backstory, appearing as though he belongs, and projecting authority.

  1. A Simple Backstory — Whether in person, over the phone or via email, scammers will have all sorts of stories that prey on people’s desire to help. Those handling sensitive information such as W-2 information should always be skeptical about who and why they are sharing that information, but that is often not enough. Having clear policies for employees to fall back and procedures for sharing sensitive information on can help ensure an employee does not get duped due to their desire to be helpful.
  2. Appearing as Though They Belong — As the FBI noted in a BEC warning, it’s important to know the habits of customers, coworkers and vendors and to beware of any significant changes. A person may appear as though they belong by impersonating those who have legitimate access. In some BEC attacks, the malicious actors compromised email accounts and waited for weeks or months to learn the communication habits before attempting their scam. Employees should be encouraged to report any suspicious activity and be continuously trained so that the front line of defense is armed to look out for the latest and most relevant social engineering threats.
  3. Projecting Authority The impersonation of authority figures is a large reason for the billions of dollars being lost to these social engineering scams. Just because a call or email appears to come from the CEO or other figure, be wary of any attempts to disclose data or gain access. Authenticating important requests through several channels such as both email and phone can help to prevent many social engineering attempts.

People want to be helpful. They tend to trust others. Good social engineers exploit those tendencies. The influx of technology has only expanded the reach of scam artists; the techniques remain the same. If an organization and its employees understand why social engineering works, then it’s much easier to combat some of those common tactics and keep the business safe.

Social Engineering – Security’s Big Problem and How to Fight Back

Pick any recent data breach. It could be a high-profile one or one of the many that never make national headlines. If we were to follow the string of events back to the beginning of that compromise, what would we find?

Chances are, it’s an employee getting duped by a cybercriminal.

In fact, one could make the case that social engineering is the single biggest issue facing organizations when it comes to cybersecurity. No matter how big of a fortress you build, all it takes is one employee to open the gate and let the bad guys walk into the heart of a business.

One of my favorite cartoons sums up the issue facing businesses:

Source: John Klossner

With all of the recent W-2 breaches in the news this year, I’ve been thinking once again about the issue of social engineering. What can businesses do? It seems every article I read only points out the problem and then makes vague references to “awareness.”

In 2015 SurfWatch Labs interviewed a variety of people to try to get to the heart of that question, and I think it’s a good idea to revisit that conversation eight months later. After all, it is a problem that will never go away.

Essentially, everyone agrees that a three-pronged approach is the key to limiting the success of cybercriminals using social engineering tactics:

  1. Use technology and tools to limit the exposure to social engineering
  2. Train employees so those social engineering attempts that do get through are less successful
  3. Realize that even the best trained organizations aren’t perfect, so have tools and a response plan in place to limit the potential damage

Let’s briefly expand on the first two points about prevention.

Limiting Exposure to Social Engineering

Technology is getting better at limiting users’ exposure. Take email as an example. In 2006 about 30 percent of an average Hotmail user’s inbox was spam — a huge problem. By 2012 that number was down to 3 percent. In July 2015, Google released its latest numbers, and less than 0.1 percent of the average Gmail inbox was spam.

The less malicious activity that gets through an organization, the less potential there is for an employee to make a mistake. There are several ways an organization can go about this goal, as have been outlined by many groups and organizations dedicated to fighting social engineering such as the Anti-Phishing Working Group.

Some best practices specific to phishing include:

  • Filtering and endpoint technologies – Filtering technologies are great at catching high-volume, low customization spam. Endpoint solutions can also combat things like malicious attachments.
  • Blocking images, links, and attachments – Disabling images and links in emails from untrusted senders can help users identify legitimate emails and prevent employees from clicking malicious links. Disabling Microsoft Office macros from Internet-obtained documents can help block a common attack vector that has led to many recent data breaches.
  • Web traffic filtering – There are many websites that are known to steal user credentials. These phishing websites are often collected into lists by both commercial vendors and free services like PhishTank. Blocking access to these sites can limit the opportunity for users to fall victim to social engineering.

Some other areas that can be useful in preventing social engineering include:

  • Authentication – Malicious actors will often impersonate others outside of email, so it is important to have strong ways to authenticate users.
  • Physical security – Physical security limits the ability for unauthorized individuals to access areas, eavesdrop on conversations, and use baiting (like dropping a malware-loaded USB stick). The organization should have effective physical security controls such as visitor logs, escort requirements, and background checks.

Training Employees and Raising Awareness

Even with security technology in place, employees will still make mistakes. Security company RSA learned this in 2011 when a phishing email targeting four low-level employees was caught by a filter and placed in their junk folders; however, one of the employees enticed by headline — “2011 Recruitment plan.xls” — retrieved it from the folder and opened the attachment, leading to a compromise that cost the company $66.3 million.

That is why training and awareness is often touted as the most important and cost effective step in combating social engineering. According to the 2016 Verizon Data Breach Investigations Report, 30% of phishing messages were opened and 12% went on to click the malicious attachment. And in 2016 phishing is on the rise, according to SurfWatch Labs data. Additionally, a recent Ponemon Institute study examining six proof of concept studies found that phishing training led to employee click rates being reduced between 26-99%.

This lead Ponemon to conclude, “Assuming a net improvement of 47.75%, we estimate a cost savings of $1.80 million or $188.40 per employee [for the average organization].”

Some of the do’s and don’ts of a good security training program include:

Social engineering is one of the biggest cyber threats facing organizations; however, many businesses devote relatively few resources to addressing this problem. Implementing  technology and tools to limit the exposure to social engineering and training employees may be the most cost effective way for many organizations to significantly improve their cyber risk.

W-2 Data Breaches Were Abundant During 2015 Tax Season

The 2015 tax season has ended, signaling a potential break in the number of tax-related data breaches we read about in the news. The list of companies suffering from these cyber-attacks seemed to grow weekly and nearly 100 companies have been publicly tied to W-2-related breaches in 2016. SurfWatch Labs collected a multitude of CyberFacts pertaining to W-2 and tax data breaches during the 2015 tax season.

2016-04-25_Tax_groups
Tax-related cybercrime impacted companies across a wide variety of industry groups in 2016.

The IRS, predictably, has the most CyberFacts related to tax and W-2 cybercrime in 2016. The IRS has suffered massive data breaches within the last year. In 2015, the IRS exposed 700,000 taxpayer accounts through its “Get Transcript” service. Last February, the IRS was breached again, with more than 100,000 stolen Social Security Numbers used to successfully access an E-file PIN. Events like these have lead to predictions that the IRS will lose $21 billion to cyber fraud and fake tax returns in 2016.

Surprisingly, the group Higher Education also received a lot of discussion, with the high profile W-2 data breach at the University of Virginia leading the way in terms is discussion.

2016-04-25_tax_itt
The chart above lists the top trending organizations pertaining to tax and W-2 cybercrime for the most talked about industry groups. The IRS garnered the most discussion of any organization. 

IRS and FBI Release Warnings About Tax Fraud

In March, the IRS released an alert about tax fraud which described various methods used by criminals to obtain W-2 and tax information. The alert provided information on several areas individuals and organizations leave themselves vulnerable to compromise:

Abusive Return Preparer
Taxpayers should be very careful when choosing a tax preparer. While most preparers provide excellent service to their clients, a few unscrupulous return preparers file false and fraudulent tax returns and ultimately defraud their clients. It is important to know that even if someone else prepares your return, you are ultimately responsible for all the information on the tax return.”

Abusive Tax Schemes
“Abusive tax scheme originally took the structure of fraudulent domestic and foreign trust arrangements. However, these schemes have evolved into sophisticated arrangements to give the appearance that taxpayers are not in control of their money. However, the taxpayers receive their funds through debit/credit cards or fictitious loans. These schemes often involve offshore banking and sometimes establish scam corporations or entities.”

Nonfiler Enforcement
“There have always been individuals who, for a variety of reasons, argue taxes are voluntary or illegal.  The courts have repeatedly rejected their arguments as frivolous and routinely impose financial penalties for raising such frivolous arguments.  Take the time to learn the truth about frivolous tax arguments.”

The FBI also released a warning in March related to the rise of Business Email Compromise (BEC) scams targeting businesses and individuals within organizations. BEC scams have gained notoriety for defrauding organizations out of money. However, BEC scams can also be used to obtain information from organizations — including W-2 and tax information.

“Based on complaint data submitted to IC3, B.E.C. victims recently reported receiving fraudulent emails requesting either all Wage or Tax Statement (W-2) forms or a company list of Personally Identifiable Information prior to a traditional BEC incident,” the warning read.

A “traditional” BEC attack starts with a fraudulent request that is sent utilizing a high-ranking executives spoofed email. In this case, the email is sent to a member of an organization who handles employee W-2 and tax information. The email will appear to be an urgent message requesting all employee W-2 information.

This is what happened at Sprouts Farmers Market, which is facing a class action lawsuit after an employee fell for a BEC scam and forwarded W-2 information on all 21,000 of the company’s employees to a malicious actor.

Protecting Yourself From Tax Fraud

One of the biggest vulnerabilities we face concerning our data is that it is handled by other human beings. Humans make mistakes, and cybercriminals capitalize on this. Since corporations cannot guarantee your data will be safe in their hands, you must remain vigilant and prepare yourself for the possibility that your tax information could be stolen.

Here are a few tips on protecting yourself from tax fraud in 2016:

File Your Taxes Early: The early bird gets the worm; this also rings true when filing tax returns. If you file your tax return before a criminal does you’re in a much better position, as the tax return will already be marked as filed, preventing anyone else from filing a tax return with your credentials.

Avoid Password Reuse: Poor password management is one of the leading problems in cybersecurity. Remembering passwords can be cumbersome, so we do what is in our nature — we take shortcuts. Unfortunately, taking shortcuts on password management can lead to many problems. Employees have historically been shown to use the same password across several accounts, which could leave an organization vulnerable to compromise. In this scenario, a cybercriminal could obtain an employee’s login credentials from another site (Facebook is a good example) and use it to log into several accounts — even the employee’s account within an organization. Make sure employees are aware of the problems with password reuse. Also, make sure passwords are utilizing capitalization, numbers, symbols and are at least 8 characters long. Organizations can take this one step further and enable two-factor authentication, which would require an additional login step before employees, or malicious actors, could access accounts.

Educate Employees About BEC Scams: Employees are one of the primary targets in tax fraud. It is vital that employees understand the dangers of opening attachments from unknown sources. It is equally important that employees question unusual requests — like what you would see in a BEC scam email. Make sure employees understand that it is okay to ask questions before performing job functions, especially if that job function was requested via email. Before sensitive information is accessed, put in place checkpoints to make sure this information is only being shared with authorized and legitimate personnel.

Deploy Security: While there are plenty of examples that show security tools are not a 100% guarantee of protection, features such as firewalls and antivirus software are paramount when it comes to securing your data. It is also important to make sure these tools and other software — such as your operating system — are current on updates. The latest updates could provide patches to vulnerabilities in older versions of the software.

Gone Phishing in Q1 2016

We’re already a quarter of the way through 2016, and a clear trend is the rise of social engineering. Based on the cyber event data that we’ve collected, roughly 25% of all targets can be tied to a social engineering attack. This is the highest percent we’ve seen since the beginning of 2015, and over the last 6 months the share of social engineering attacks have doubled.

2016-04-04_ITT_socialengineering

Just a few examples of common social engineering practices include:

  • Phone calls from a “Microsoft customer support representative” who needs remote access to your computer to fix an issue
  • Leaving an infected USB stick in a parking lot that when found and inserted into a computer by an unsuspecting person, malware/spyware is dropped onto the machine

However, the largest percentage of social engineering attacks (25%+) revolve around different types of phishing. While email is the most common delivery method, phishing attempts are made through text messages, Facebook, etc.

Over the weekend I received several phishing emails from individuals I know. These emails weren’t spoofed to make it look like they were coming from people I know, but actually sent from their email accounts without their knowledge.

The emails were both related to a “signed document” that needed my attention — except I had no previous knowledge any e-docs to sign should be coming my way. Of course, that’s because they should not have been coming at all.

Having been in the security industry as long as I have, I am cautious (or some would say paranoid) — especially compared to friends and family who say they “get it,” but don’t really. Even still, these emails came from legit addresses from people within my circle, and the content within the emails also looked reasonable. Luckily, I knew better, but many don’t.

Here are some quick security tips to consider when it comes to phishing attacks:

  1. Watch out for spoofed email addresses. Confirm the sender of the email is an address you recognize/know. Don’t just check the name in the “From” field, but actually look at the email address. This tip would not have made a difference in the instance above, but it is still a good way to catch a phishing email.
  2. Do not blindly trust links within an email. Banks and credit cards are usually pretty good about directing you to type in the url to go to their homepage and how to navigate to a specific place if necessary, as opposed to including links in their communications to you. This is a good practice to follow with any emails that include links. In my situation the links sent looked like DocuSign links, with familiar DocuSign branding and all. But it was missing the security code. Links can also be spoofed, so make sure you know what it is you are clicking on before you click.
  3. If you have any questions, pick up the phone. Is a vendor asking you to provide information or is a contact of yours asking you to click on a link? Questioning it is good. Call the vendor or individual and have them confirm.

Social engineering is one of the trickiest types of attacks to prevent because it plays on human nature and less on technology. Looking at the intel so far in 2016, the bad guys are going back to a tried and true method for gaining access to sensitive information. Be aware and think before you click.