Verizon: “Most Breaches Trace to Phishing, Social Engineering

Verizon: “Most Breaches Trace to Phishing, Social Engineering

Breaches Trace to Phishing, Social Engineering. BankInfoSecurity wrote: “90% of data breaches seen by Verizon’s data breach investigation team have a phishing or social engineering component to them. Not coincidentally, one of the hottest commodities on underground or dark web marketplaces are credentials, which attackers can use to log into enterprises and make it appear that they’re legitimate users.”

“Because organizations don’t have multifactor [authentication] rolled out, it makes it trivial to get in,” says Chris Novak, director of global investigative response for Verizon, in a discussion about the company’s latest Data Breach Digest, a companion report to the company’s annual Data Breach Investigations report (see Verizon’s Latest Breach Report: Same Attacks, More Damage).

In an audio interview with Information Security Media Group at the recent RSA Conference 2017 (see link below illustration), Novak discusses:

  • Nitty-gritty details of what organizations go through when they suffer a breach;
  • Organizations’ ongoing inability to know where their top assets are and on which systems that data gets stored, especially after merger and acquisition activity;
  • The move by even non-European organizations to comply with the EU’s General Data Protection Regulation.

Novak is a co-founder and the director of the Verizon Investigative Response Unit – a division of the Verizon RISK Team. He’s also worked as a principal for Cybertrust and a senior security consultant for Ubizen.” We recommend you listen to the 10-minute interview here:


If you are not a KnowBe4 customer yet, at times like this, it is very good to know what percentage of your users are vulnerable to social engineering attacks. We recommend you do your free Phishing Security Test and find out what the phish-prone percentage of your users is.

Stu Sjouwerman
Founder and CEO, KnowBe4, Inc.



Scam Of The Week: Mystery Shopper Scam Email

Scary new malware hides in memory, uses DNS to communicate, and spreads through phishing

Scary new malware hides in memory, uses DNS to communicate, and spreads through phishing

Cisco has a separate threat research group called Talos. They just published a report on a scary new form of malware that’s hard to detect.

They called it DNSMessenger, and the malicous code uses Microsoft PowerShell scripts to hide itself in memory and connect directly with a command & control server using the compromised machine’s Domain Name Service port.

It’s distributed through a phishing campaign with a Microsoft Word document attached, trying to look like a known or reputable source.

Once the user opens the file, it pretends to be a protected document secured by McAfee Security and asks the user to once again click to view the content that was supposedly in the original file. As you guessed, the file has no content and the second click instead executes the malicious script hidden in the file, leading to the workstation being compromised.

Here is the new angle that makes it hard to detect. The malicious code does everything in memory, and the second stage is stored in the Alternate Data Stream with the NTFS (standard Windows) file system or directly inside the registry, while a third-stage PowerShell script establishes communications with a command-and-control server via DNS that is used to pass text messages. Normally, HTTP and HTTPS gateways are monitored by security software, but that’s not always the case for DNS, and the hackers know it.

Talos could not yet immediately see what commands are going back and forth: “We were unable to get the C2 (command and control) infrastructure to issue us commands during our testing,” the Talos team said in a blog post Thursday. “Given the targeted nature of this attack, it is likely that the attackers would only issue active C2 commands to their intended target.”

“This malware sample is a great example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting,” the Talos team added. “It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.”

Preventing Malware Infections 

Which user will infect your network malware? We’ve got something really cool for you: the new Phishing Security Test v2.0!

It’s got several great new features, and sending simulated phishing emails to train your employees is a fun and an effective best practice to patch your last line of defense… your users.

The phish-prone percentage is usually higher than you expect and is great ammo to get budget. You can now find out the current Phish-prone percentage of your organization and who might infect your network with ransomware.

With Our Brand-New Phishing Test:

  • You can customize the phishing test based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • Already did a phishing test in the past? For a limited time you can reset it yourself and do a new one.


Stu Sjouwerman
Founder and CEO, KnowBe4, Inc.

Scam Of The Week: Mystery Shopper Scam Email

Scam Of The Week: Mystery Shopper Scam Email

Secret Shopper Scam

Becoming a mystery shopper can seem like a dream job – getting paid to shop! However, a new mystery shopper scam is circulating that may leave you feeling duped. The scam begins by having mystery shoppers apply for a mystery shopping test on an illegitimate website posing as an official mystery shopping company.

While the phony company never requires in-person interviews, they will send mystery shoppers instructions and their “payment” but only require mystery shoppers to wire money back before releasing their payment.

Rather than becoming mystery shoppers, these “shadow shoppers” have been scammed out of hundreds of dollars with no reimbursement. Do not be fooled by any such thing; always make sure any mystery shopping company you apply to is legitimate before advancing your membership or handling their money.

Mystery Shopper Scam Email

“Mystery shoppers are people hired to shop at a particular store and report on the shopping experience for purposes of quality control.  Unlike many scams, there actually are legitimate mystery shopper companies, but they never advertise or recruit through emails.”

How this scam works is when a victim falls for the recruiting email, they are sent a bogus bank check that the bad guys ask them to deposit and then use for their “mystery” shopping.  They spend some of the money on the goods that they buy, and are instructed to keep some of the balance of the check as payment for their services.  However, the angle is that the victim gets instructions to return the remaining funds by a wire transfer.  Obviously, the check is counterfeit, but the money that the victim transfers by wire is all too real.  Here is an example of a recent mystery shopper Scam Of The Week email:

Mystery_Shopper_Scam_Email.jpg Courtesy Steven Weisman, Esq.

I suggest you send the following to your employees, friends, and family. Feel free to copy, paste, and/or edit:

“Mystery Shopper” scams continue to snare unwary victims. Mystery shoppers are people hired to shop at a particular store and report on the shopping experience for purposes of quality control.  Unlike many scams, there actually are legit mystery shopper companies, but they never advertise or recruit through emails. Here is how this scam works:


You get a bank check they ask you to deposit immediately and then go shop, and they say you get to keep some of the money as well. But the scammers ask you to wire the remaining money back to them right away. And as you might have guessed, their check is bogus but the money you wire back is real, and it’s yours.


Here is a general safety rule: Whenever you receive a check, wait for your bank to tell you that the check has fully cleared before you consider the funds as actually being in your account.  Never accept a check for more than what is owed with instructions to send back the rest which is a major red flag. Last, always be very wary whenever you are asked to wire funds because this is a common theme in many scams.


Cloudbleed, Cloud Pets, and More…

Cloudbleed, Cloud Pets, and More…


It turns out that if you crawl enough of the Internet, pages start bleeding into one another. At least that’s the case for Google Security Researcher, Tavis Ormandy, who discovered a severe flaw in Cloudflare’s service. The flaw, eerily reminiscent of the infamous Heartbleed bug, resulted in revealing uninitialized memory containing sensitive information ranging from ‘encryption keys, cookies, passwords’, and even private messages on a dating website. Cloudflare’s post-mortem indicates that the flaw was introduced when ‘Automatic HTTP Rewrites’ was enabled in 2016-09-22.

The root cause of the flaw was a fragile pointer arithmetic check. The code was checking for strict equality (==) as opposed to greater than or equal to (>=) when determining if the pointer has reached the end of the buffer. In order to trigger this vulnerability, a request for an HTML page containing unbalanced HTML code would result in extraneous data being returned which contained internal Cloudflare headers, cookies, and authorization headers/tokens depending on what just happened to be in memory at the time. Since Cloudflare is a shared service, popular websites (Uber, FitBit, OKCupid, etc) are more likely to remain resident in memory and thus be leaked when the flaw was triggered.

Agilebits, the makers of 1Password, has responded with an overview of how their use of multiple encryption layers protect their users in cases where SSL/TLS fails.

In a follow-up post, Cloudflare did not find any evidence that the bug was actively exploited. However, it’s impossible to rule out given the large opportunity window, lack of logs, and Cloudflare’s large customer base. One of the biggest issues remaining are websites that have been scraped or cached by automated bots (other than well-known search engines such as Google which have purged affected page caches) that may have inadvertently saved the leaked information.

On the bright side, there is a ray of sunshine as the clouds recede: Cloudflare was able to deploy a mitigation within an hour and patch their services in seven hours.

For users, there are several things you can do to protect yourself:

•  Change your password on websites using the Cloudflare service

•  Use two-factor authentication (2FA) where available (Check out this comprehensive guide from Cloudwards)

For service providers, this is an excellent opportunity to re-evaluate your threat model and understand the risks of using shared cloud services.

•  If you rely on SSL/TLS to provide transport security, the SSL/TLS needs to be terminated inside your network and not at a third-party service provider

•  Employ defensive programming

Check out Ryan Lackey’s take and Ryan McGeehan’s take for more information on how to handle the fallout.

CloudPets: ‘Embearassingly’ bad security

If a bear spies on your child, does anyone hear it? If the bear is made by CloudPets, the answer is yes. This week’s chapter of the never ending compendium of ‘why you shouldn’t put a chip in it’ has a bluetooth-enabled teddy bear acting as a remote spying device and <sarcasm>in a plot twist no one has seen before, the manufacture doesn’t seem to care</sarcasm>.

The National Security Agency was ahead of the times when they banned Furbys in 1999. It took approximately two decades for consumer electronics to catch up to their fears of creating a child’s toy that could moonlight as a remote listening device.

SpiralToys, the maker behind CloudPets, left their MongoDB server open to the public, making it child’s play to steal the sensitive information. Additionally, an unsecured Amazon S3 bucket meant that attackers with knowledge of the voice recording filenames could trivially download the messages.

For all you parents out there, reconsider buying ‘smart’ or ‘cloud-enabled’ toys for your kids. This isn’t the first time toy manufacturers have compromised families privacies, and it’s not just toys that are vulnerable – even Internet-connected baby monitors are a bad idea. Germany has already taken steps to ban Internet-connected dolls out of fears that attackers could target children.

If you’re considering putting a service up in the cloud, be sure to lock it down properly.

•  Check out the flAWS challenge to learn more about common mistakes that lead to security vulnerabilities when operating in the cloud

•  Deploy your database servers in a private VLAN − far away from being publicly accessible from the Internet

•  Require authentication, authorization, and auditing (AAA) on sensitive datastores such as databases

• Engage with security professionals to design and secure your service

•  Use pre-signed URLs when using S3 to share files


Cylance Research and Intelligence Team


2017 Top 10 IT Security Trends

2017 Top 10 IT Security Trends

What are the top 10 IT security trends for 2017?

I have been looking at the coming year and what trends you will probably see actually deployed in your network. These trends are the practical things that will help you to keep your network safer with improved defense-in-depth.

  1. A move from being defensive to a more proactive approach to IT security, for instance, application firewalls that actually work and are easy to deploy.
  2. Machine learning that *works* spreads out to legacy endpoint security tools, and is able to do real-time payload analysis to prevent ransomware attacks.
  3. You will finally get affordable and smart enough network traffic analysis tools that will show if your network has been penetrated, combined with:
  4. Platforms that will show you understandable threat intelligence with analytics and reporting that will dramatically shorten the “dwell time” of hackers in your network.
  5. Breach prevention will be getting easier by automatic OS hardening utilities.
  6. Dedicated network tools will be able to do smart network segmentation and isolation to block hackers from getting to the crown jewels.
  7. You will be able to deploy much improved Enterprise Mobile Management products that are able to do proactive mobile protection.
  8. More intelligent Identity Management tools will be released that will allow you to secure IoT devices, services that are running, and end-users at the same time.
  9. A non-technical trend is that Boards will insist on significantly beefing up IT Security Policy and Procedure, which will make your life significantly easier because you finally have air cover and budget for the things you knew you needed to deploy but got pushback on.
  10. Thousands of your peers have started phishing their own users in 2016 to keep employees on their toes with security top of mind. This will be the trend that catches fire in 2017 and tens of thousands of sites will deploy new-school security awareness training.

If you are not a KnowBe4 customer yet, at times like this, it is very good to know what percentage of your users are vulnerable to social engineering attacks. We recommend you do your free Phishing Security Test and find out what the phish-prone percentage of your users is.

Stu Sjouwerman
Founder and CEO, KnowBe4, Inc.