Posts Tagged: ‘spear phishing’

Scam of the day – May 17, 2016 – Russian cybercriminal innovator sentenced

May 16, 2016 Posted by Steven Weisman, Esq.

Although you probably have not heard of Nikita Kuzman or the Gozi malware he created, Kuzman has dramatically changed the world in which we live.  Kuzman, a Russian with degrees earned in computer science at two major Russian universities invented the Gozi malware which was unleashed on an unsuspecting public in 2007.  This malware was among the first to be able to steal bank account related data including usernames and passwords from the infected computers of its victims and then use this information to steal money from the victims’ accounts.  Gozi infected more than a million computers throughout the world and was used to steal tens of millions of dollars from individuals, companies and even government agencies such as NASA.  However, what distinguishes Kuzman from other cybercriminals who have created similar types of malware is that Kuzman then created the business model for implementing the use of the malware by leasing the use of Gozi to less sophisticated cybercriminals, who would pay Kuzman a fee of $500 per week for the use of the Gozi malware which would send the stolen information to computers controlled by Kuzman who would, in turn, provide the data to the criminals spreading the malware so long as they paid their weekly leasing costs.

According to Troels Oerting, the head of Interpol’s European Cybercrime Centre, there are only about a hundred cybercriminal masterminds like Guzman in the world today.  The proliferation of small and large scale computer crimes perpetrated against individuals, companies and government agencies is primarily accomplished by less accomplished cybercriminals who have purchased or leased the malware from innovators such as Kuzman who initiated this business model.  And like any business, the criminals who do create this malware also routinely provide tech support and updates for a price.

Kuzman was recently sentenced in the U.S. District Court for the Southern District of New York to various computer crimes and was required to pay a financial penalty of $6,934,979.  The prison sentence imposed was a mere 37 months of time served pending his trial.  The reason for this light sentence is that Kuzman because of his continuing cooperation with federal investigators regarding others charged with similar crimes.

TIPS

An important element of the story about the Gozi malware and other similar types of malware is that regardless of how sophisticated the malware is, it is useless until it is downloaded on to the computers of its intended victims and this is generally done not through complex software or technology, but rather by luring unsuspecting victims into clicking on links and downloading attachments in socially engineered phishing emails.  And just as the malware itself has gotten more sophisticated over the years, so have the psychologically compelling spear phishing emails used to spread the malware.  Malware tainted phishing emails formerly addressed to “Dear Customer” now come addressed to you by name and often contain sufficient personal information to cause victims to trust the emails and click on the tainted links.  The lesson is clear.  Trust me, you can’t trust anyone.  Never click on a link or download an attachment until you have absolutely confirmed that the email or text message sent with a link or attachment is legitimate.

Scam of the day – May 12, 2016 – Another BEC scam victim

May 12, 2016 Posted by Steven Weisman, Esq.

In April 19th’s Scam of the day I told you about the recent FBI warning about a dramatic increase in what it calls the Business email compromise scam (BEC). The scam involves an email to the people who control payments at a targeted company.  These people receive an email purportedly from the CEO, company attorney or even a vendor with whom the company does business requesting funds be wired to a phony company or person.   At its essence, this scam is remarkably simple and relies more on simple psychology instead of sophisticated computer malware.  Often the scammers will do significant research to not only learn the name of the key employees involved with payments within a company, but also will infiltrate the email accounts of company employees for a substantial period of time to learn the protocols and language used by the company in making payments.  The scammers will also gather information from the company’s website and from social media accounts of its employees, all in an effort to adapt their message to seem more legitimate.

Now we have just learned about Pomeroy Investment Corp, a Michigan investment company that lost $495,000 through this scam when one of its employees responded to an email purportedly from another employee of the company and wired $495,000 to a Hong Kong bank.

Companies both large and small have fallen for this scam, which has increased 270% in the last year and over the last couple of years has cost companies more than 2.3 billion dollars in losses. American toy manufacturer, Mattel lost three million dollars to this scam in 2015.

TIPS

In order to avoid this scam, companies should be particularly wary of requests for wire transfers made by email.  Wire transfers are the preferred method of payment of scammers because of the impossibility of getting the money back once it has been sent.  Verification protocols for wire transfers and other bill payments should be instituted including, dual factor authentication when appropriate.  Companies should also consider the amount of information that is available about them and their employees that can be used by scammers to perpetrate this crime.  They also should have strict rules regarding company information included on employee social media accounts that can be exploited for “spear phishing” emails which play a large part in this scam.  Finally, employees should be specifically educated about this scam in order to be on the lookout for it.

Scam of the day – May 2, 2016 – Another new USAA phishing scam

May 2, 2016 Posted by Steven Weisman, Esq.

Yet another phishing email is turning up purporting  to be from USAA, the insurer of millions of members of the military as well as many veterans, telling you that you need to click on links in the email in order to resolve security issues.  Like many phishing emails,this one tries to convince you into thinking you must click on a link and provide personal information or suffer dire consequences when the truth is that if you click on the link or provide personal information, you will become a victim of identity theft as the criminal will use the information you provide to make you a victim of identity theft.  Alternatively, merely by clicking on the link provided in the email, you may download keystroke logging malware that will enable the identity thief to steal all of the information in your computer, laptop or other device and use that information to make you a victim of identity theft.  Here is a copy of the newest phishing email that is presently circulating.  DO NOT CLICK ON THE CONTINUE BUTTON.  As phishing emails go, the graphics are pretty impressive, however there are several grammatical errors including the word “temporal” being used instead of “temporary”.  It also  should be noted that the email is directed to “Dear Valued Customer” rather than your name and no account number is provided.  These are further indications that this is a scam.  Finally, this email was sent by an email address that had nothing to do with USAA, but was undoubtedly part of a botnet of computers using email addresses of hacked email accounts to send out the phishing email.

TIPS

Frankly, whenever you get an email, you can never be sure who is really sending it to you.  Obviously if you receive this email and you do not have an account with USAA, you know it is a scam, however, if you receive something like this that appears to come from a company with which you do business, you should still not click on any links contained in the email unless you have independently confirmed with the company that the email is legitimate.  Remember, even paranoids have enemies.

Scam of the day – April 21, 2016 – Criminals steal nuts

April 21, 2016 Posted by Steven Weisman, Esq.

Stealing nuts may not sound like a profitable criminal enterprise, but with the worldwide popularity of  nuts as a healthy snack and truckloads of nuts such as walnuts, almonds or pistachios valued as high as $500,000, criminals, particularly in California have increasingly targeted the nut industry in the last few years.  Last year alone the number of cases of truckloads of nuts being stolen exceeded the total number of the previous three years with the cost to nut companies reaching 4.6 million dollars.

Today’s thieves often use technology as part of their arsenal with criminals using spear phishing techniques to hack into the computers of the nut companies to find out when shipments are ready to be picked up.  Sometimes the criminals arrive at the nut warehouses with counterfeit shipping papers and pick up truckloads of these valuable products.  Other times, the criminals pose as legitimate companies and hire a legitimate trucking company to pick up the nuts and then tell the truck driver that there has been a change of plans and divert the shipment.

Nuts are a valuable commodity on the black market, particularly in Europe and Asia.  In addition, it is hard to track nuts.  They contain no serial numbers and are easy to transport leaving little evidence of a crime.

TIPS

The nut industry is busy adapting to these new threats while the criminals continue to adapt to new security measures.  Better data security at nut companies will help.  In addition, many companies are now requiring photo IDs and fingerprint identification of drivers picking up nuts for delivery.  Confirmation of orders is also something that will help.  But for now the criminals seem to be getting much more than peanuts out of this crime.

Scam of the day – April 20, 2016 – DocuSign phishing scam

April 20, 2016 Posted by Steven Weisman, Esq.

DocuSign is a company that provides technology for the transmission of contracts and other documents with features for electronic signatures.  The company is used by many companies.  Recently I received a phishing email, reproduced below that purported to be from an attorney that I know and with whom I do business asking me to click on a link to open a document that needed my signature.  The phishing email looked very professional and contained the DocuSign logo and appeared legitimate.  In the copy of the email below, I have blocked out the name and other personal information used to identify the attorney who was purported to have sent me the document.  DO NOT CLICK ON THE LINK TO VIEW DOCUMENTS.

This is a spear phishing email designed to lure the person receiving the email to click on the link and either provide personal information that could be used for identity theft, or, as more likely in this particular phishing attempt, merely by clicking on the link would have downloaded keystroke logging malware into the computer of the person clicking on the link.  This malware would have enabled the cybercriminal to steal all of the personal information from the computer and make that person a victim of identity theft.  This email was particularly dangerous because it came from someone with whom I do business whose email account was hacked and used to send out the spear phishing email.

Here is the email without the logo.

Please review and sign your document
 

From: XXXXXXXXX (XXX@aol.com)

Hello

Thomas has sent you a new DocuSign document to view and sign. Please click on the ‘View Documents’ link below to begin signing.

View Documents
XXXXXXXX
Law Office of XXXXXXXXX
XXXXXXXXXXX
XXXXXXXXXX
Fax: XXXXXXXXX
Email: XXX@aol.com

__________________________________________________________________________
CONFIDENTIALITY NOTICE: This email message contains confidential information intended only for the person(s) or entity to whom it is addressed and is subject to attorney-client privilege. If you have received this email message in error, please destroy the original message.

CIRCULAR 230 DISCLOSURE: Pursuant to U.S. Treasury Regulations, we are now required to advise you that, unless otherwise indicated, any federal tax advice contained in this communication, including attachments and enclosures, is not intended and may not be used for the purpose of (1) avoiding tax related penalties under the IRC or (2) promoting, or recommending to another party any tax related matters addressed herein.

TIPS

In this case, I actually followed my own advice as to never click on a link regardless of how legitimate the email or text message may appear until confirming that the message is legitimate.  I emailed back to the attorney and asked him to confirm that it was legitimate and answer a question which I knew only he would know the answer to.  The response I got from him was that he had been hacked and I should not click on the link.

The lesson here is clear.  You can never be sure when you receive an email as to who is really contacting you.  Although sometimes it is obvious when the email address of the sender does not correspond to who is represented as sending the email, but other times, such as in this case, the email account of someone or some company you trust could have been hacked and used to send you the malware.  Therefore you should never click on a link or download an attachment in an email until you have absolutely and independently confirmed that it is legitimate.

 

April 9, 2016 – Steve Weisman’s latest column for USA Today

April 9, 2016 Posted by Steven Weisman, Esq.

Here is a link to Steve Weisman’s latest column for USA Today which deals with the data breach at Verizon Enterprise Solutions, which, ironically, is the unit of Verizon that helps companies deal with data breaches.  However, as indicated in the column, there is a lesson to all of us in this story.

http://www.usatoday.com/story/money/columnist/2016/04/09/lessons-latest-verizon-data-breach/82677920/

Scam of the day – March 29, 2016 – SEC settles insider trading charges with Russian hedge fund manager

March 29, 2016 Posted by Steven Weisman, Esq.

As I first  reported to you this past August and numerous times thereafter as the story developed, forty-three people were charged both civilly and criminally in the largest hacking and securities fraud enterprise in American history.  The defendants were made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the rogue stock traders to make trades based on this inside information before it became known to the public.  Trades using this stolen information were made by traders in Russia, Ukraine, Malta, Cyprus, France and here in the United States in Georgia, New York and Pennsylvania  It is estimated that between 2010 and 2015, the defendants made profits of  as much as 100 million dollars on 800 trades during this time.  In December, Alexander Garkusha, one of the defendants pleaded guilty to making trades based upon the stolen information that personally gained him $125,000. Garkusha is cooperating with the government at this time.  His sentencing is scheduled for May 6th.  In January, Igor Dubovoy also pleaded guilty to conspiracy to commit wire fraud and agreed to forfeit more than 11 million dollars.

Now the SEC has announced that it has settled civil charges against Moscow-based hedge fund manager David Amaryan and his funds Copperstone Alpha Fund, Copperstone Capital, Ocean Prime, Inc and Intertrade Pacific SA through which Amaryan earned more than eight million dollars in profits through the illegal scheme.  Pursuant to the settlement, Amaryan and his companies will pay the SEC ten million dollars.  Of course, as is typical in such settlements, Amaryan neither admitted nor denied any wrongdoing, however pursuant to the settlement he is prohibited from using such tactics in the future, which is akin to Amaryan saying he didn’t do anything wrong and he promises not to do it again while also agreeing to pay ten million dollars to the SEC.

TIPS

One of the biggest takeaways from this case is how easy it is to still use phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data.  Phishing and the more targeted spear phishing is also the way that the ransomware used against the Hollywood Presbyterian Medical Center was implanted in its computers.   Apparently corporations still have not learned to sufficiently train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.  This lesson is one that each of us, as individuals, should also learn in our own lives because identity thieves and hackers use the same phishing techniques to enable criminals to hack into the computers of individuals and steal their personal information.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.  However, it is still important to have security software on all of your electronic devices and keep that software up to date with the latest security patches because many scammers use older versions of malware for which there are defenses.

Scam of the day – March 28, 2016 – Verizon Enterprise Solutions suffers data breach

March 28, 2016 Posted by Steven Weisman, Esq.

Announcements of data breaches are generally not terribly startling these days, however, the recent announcement by Verizon Enterprise Solutions acknowledging that it had suffered a massive data breach is particularly noteworthy because Verizon Enterprise Solutions, is the unit of Verizon that assists companies when they have become victims of data breaches.  OOPS!  In fact, one of the things that Verizon Enterprise Solutions does every year is issue an annual data breach investigations report that is read by many.  Next year, it appears the report will be including information about their own data breach,   According to Verizon, they recently discovered and fixed ” a security vulnerability on our enterprise client portal.”  According to Verizon,  the information accessed by the hackers was limited to basic contact information for many of its customers.  According to Verizon, no customer proprietary network information (CPNI) was stolen.   Verizon is in the process of contacting affected customers.   The stolen information is already being sold on the Dark Web, where there are found Internet sites where criminals buy and sell such information.

One might question the value  to cybercriminals of the theft of basic personal information, however, that information can be quite valuable for creating spear phishing emails that lure unsuspecting victims to click on links in the emails that contain malware that may steal more valuable data from targeted companies including banking information and credit card information.  A specifically tailored spear phishing email that appears to come from Verizon Enterprise Solutions directed by name to a specific person in the targeted company could be more likely to cause an unsuspecting employee of the targeted company to believe that the spear phishing email was legitimate and click on links or provide personal information that could be used for identity theft or cybercrime.

TIPS

This data breach is another good example of why my motto is “trust me, you can’t trust anyone.”  Regardless of how legitimate an email or text message may appear that asks you to click on a link or provide personal information, you can never be sure that such communications are legitimate.  Never click on links or provide personal information in emails or text messages until you have independently confirmed that the email or text message is indeed legitimate.  Remember, even paranoids have enemies.

Scam of the day – March 12, 2016 – Hackers steal 81 million dollars from Bangladesh bank

March 12, 2016 Posted by Steven Weisman, Esq.

Early last month cybercriminals hacked into Bangladesh’s central bank and managed to steal approximately 81 million dollars, however, it could have been worse.  If it weren’t for a spelling error, the theft could have approached a billion dollars.   Although the investigation into this crime is still in its early stages, it appears that as with so many types of cybercrimes, this one started with social engineering spear phishing which lured bank employees to unwittingly download the malware used by the hackers to infiltrate the bank’s computers and obtain not just the passwords and cryptographic keys used for electronic fund transfers, but also the emails of bank employees so that they could copy and adapt the emails by which they made their transfers appear legitimate.    Armed with this information, the cybercriminals sent dozens of account transfer requests from the Bangladesh central bank to the Federal Reserve Bank of New York where the Bangladesh central bank has accounts containing billions of dollars.  The account transfer requests processed by the Federal Reserve Bank of New York electronically sent about 81 million dollars to accounts in the Philippines where the funds were transferred multiple times including transfers to Philippine casinos in an effort to launder the money.

Four transfer requests totaling approximately 81 million dollars were processed in this cyber bank heist when the fifth transfer request to a supposed Sri Lankan non-profit organization aroused suspicion with Deutsche Bank, a routing bank in the transaction due to the misspelling of “foundation” as “fandation” prompting  a closer investigation of the transfer request.  At the same time, the Federal Reserve also became suspicious at the large number of transfer requests being made to private entities instead of banks, halted the remaining transfer requests and contacted the Bangladesh central bank.

TIPS

All businesses and governmental agencies have got to do a better job at cybersecurity in general.  In particular, greater attention has to be paid to the dangers of social engineering spear phishing which has been at the root of the almost all of the major data breaches at both companies like Target and governmental agencies, such as the Office of Personnel Management.

Scam of the day – February 20, 2016 – Nine new defendants in cyber stock scam

February 20, 2016 Posted by Steven Weisman, Esq.

As I first  reported to you this past August and twice thereafter, more than thirty people were  indicted in the largest hacking and securities fraud enterprise in American history.  The defendants were made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the rogue stock traders to make trades based on this inside information before it became known to the public.  Trades using this stolen information were made by traders in Russia, Ukraine, Malta, Cyprus, France and here in the United States in Georgia, New York and Pennsylvania  It is estimated that between 2010 and 2015, the defendants made profits of  as much as 100 million dollars on 800 trades during this time.  In December, Alexander Garkusha, one of the defendants pleaded guilty to making trades based upon the stolen information that personally gained him $125,000. Garkusha is cooperating with the government at this time.  His sentencing is scheduled for May 6th.  In January, Igor Dubovoy also pleaded guilty to conspiracy to commit wire fraud and agreed to forfeit more than 11 million dollars.

Now the SEC has filed fraud charges against nine new defendants in this case including both companies and individuals who traded with a brokerage company in Malta using the stolen information.

TIPS

One of the biggest takeaways from this case is how easy it is to still use phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data.  Phishing and the more targeted spear phishing is also the way that the ransomware used against the Hollywood Presbyterian Medical Center was implanted in its computers.   Apparently corporations still have not learned to train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.  This lesson is one that each of us, as individuals, should also learn in our own lives because identity thieves and hackers use the same phishing techniques to enable the stealing of the identities of individual victims.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.  However, it is still important to have security software on all of your electronic devices and keep that software up to date with the latest security patches because many scammers use older versions of malware for which there are defenses.