CyberheistNews | KnowBe4

CyberheistNews Vol 7 #13

In an update on an earlier issue in April 2016, more detail surfaced about this massive CEO fraud spear phishing attack that tricked 2 American tech companies in wiring a whopping 100 million to bank accounts controlled by a crafty scammer in Lithuania.The press was all over this like white on rice, not mentioning that it initially was discovered in April of last year. The big mystery is exactly which 2 companies fell victim, because the court documents do not reveal the names. Who knows which companies were involved? Let's crowdsource this mystery, if you know for certain, email the information anonymously to feedback@knowbe4.comI'm quoting a snippet from The Verge here: "According to a recent indictment from the U.S. Department of Justice, a 48-year-old Lithuanian scammer named Evaldas Rimasauskas managed to trick two American technology companies into wiring him 100 million dollars. He was able to perform this feat "by masquerading as a prominent Asian hardware manufacturer," reports The Verge, citing court documents, "and tricking employees into depositing tens of millions of dollars into bank accounts in Latvia, Cyprus, and numerous other countries.""What makes this remarkable is not Rimasauskas' particular phishing scam, which sounds rather standard in the grand scheme of wire fraud and cybersecurity exploits. Rather, it's the amount of money he managed to score and the industry from which he stole it. The indictment specifically describes the companies in vague terms.The first company is "multinational technology company, specializing in internet-related services and products, with headquarters in the United States," the documents read. The second company is a "multinational corporation providing online social media and networking services." Both apparently worked with the same "Asia-based manufacturer of computer hardware," a supplier that the documents indicate was founded some time in the late '80s."The court documents don't reveal the names of the two companies. It's fun to speculate though. Facebook, Apple, Cisco and HP come to mind. Here is the full affidavit at Scribd:And to know that all this could have been prevented with effective security awareness training! Training your employees to always keep security top of mind is one of the single most effective preventative measures against CEO fraud.Any kind of emails regarding financial transactions should be looked at closely before any action is taken. Most fraudulent emails like this create a sense of urgency. A simple phone call could be what keeps your company out of headlines, (or you can try to seal court documents, which will ultimately fail).

Check Point Software blogged about Chinese hackers who have taken smishing to the next level, using a rogue cell phone tower to distribute Android banking malware via spoofed SMS messages.Security researchers at Check Point discovered that Chinese hackers are using fake base transceiver stations (BTS towers) to distribute "Swearing Trojan," an Android banking malware.Smishing — phishing attacks sent via SMS — is a type of attack where bad guys use spoofing to social engineer mobile users into downloading a malware app onto their smartphones or trick victims into giving out sensitive information. The maximum range of a BTS antenna is between 10-22 miles, so this technique is very sophisticated and successful in targeted attacks.This is the first-ever reported real-world case in which the bad guys used BTS — a piece of equipment usually installed on cellular telephone towers — to spread malware.The phishing SMS, which masquerades itself as the one coming from Chinese telecom service providers China Mobile and China Unicom, contains very convincing text with a link to download malicious Android APK. Since Google Play Store is blocked in China, the SMS easily tricks users into installing the APK from an untrusted source."Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware," Check Point said in their blog post.Once installed, the Swearing malware distributes itself by sending automated phishing SMSes to a victim's contacts.Noteworthy is that to avoid detection, the Swearing trojan doesn't connect to a C&C server but uses SMS or emails to send stolen data back to the bad guys. Check Point said: "This provides the malware with good cover for its communications and hinders attempts to trace any malicious activity."This is a great example why you need to constantly train your users and keep them on their toes with security top of mind. Our training module Mobile Device Security explains how users can arm themselves against attacks like this.It's easy. You can now get access to the ModStore Preview Portal to see our full library security awareness training content; including 300+ interactive modules, videos, games, posters and newsletters. There is no cost. Get started here:

Does DoubleAgent Turn Antivirus Into Malware? We Are Calling BS on That.





It was all over the press. Initially reported by Bleepingcomputer and picked up by sites like Endgadget, they all went gaga over a new technique that allows the bad guys to take over your computer by "turning your antivirus into malware." Here is an example snippet:



"Security researchers from Cybellum have discovered another technique cyber criminals can use to take over your computer. The zero-day attack called DoubleAgent exploits Microsoft's Application Verifier tool, which developers use to detect and fix bugs in their apps.



Developers have to load a DLL into their applications to check them, and Cybellum's researchers found that hackers can use the tool to inject their own DLLs instead of the one Microsoft provides.



In fact, the team proved that the technique can be used to hijack anti-virus applications and turn them into malware. The corrupted app can then be used to take control of computers running any version of Windows from XP to the latest release of Windows 10."



And then they tested some AV apps and sure enough a bunch of them could be exploited this way, but any app on the machine could be treated that way. Some AV companies issued patches and said they had fixed the problem. Some news sites even had a video showing how DoubleAgent "can turn an anti-virus app into a ransomware that encrypts files until you pay up." Yeah, sure.



We're Calling BS



The non-technical press is missing that you need to make registry changes and have admin access to the machine to begin with, so this whole code injection technique is cute, but nothing to write home about.



The bad guy already owns the machine! This story is only about using Application Verifier in a post-breach situation. The only AV company that stood their ground was Symantec and they said the right thing:



"After investigating this issue we confirmed that this PoC does not exploit a product vulnerability within Norton Security. It is an attempt to bypass an installed security product and would require physical access to the machine and admin privileges to be successful. We remain committed to protecting our customers and have developed and deployed additional detection and blocking protections to users in the unlikely event they are targeted."



Good for you Symantec.

Warm Regards,

Stu Sjouwerman