The PhishLabs Blog

The recent news of the Yahoo breach and leak of hundreds of millions of passwords, names, dates of birth, and other
 personal information has led to headlines across the country. Understandably, given Yahoo’s popularity, people are worried. Especially as a summer dominated by news of leaks, hacks, and foreign intelligence agencies with nefarious agendas comes to an end. 

Given that reports suggest that the initial breach of this data occurred in 2014, one of the primary concerns about this type of data dump are password reuse attacks, where cybercriminals take previously compromised credentials and use them to break into accounts on other platforms where the victim used the same username/password combination.  It’s only a matter of time before criminals use the credentials leaked in the Yahoo breach to attempt to compromise other accounts, such as financial accounts or social media profiles. 

When it comes to security, it pays to be completely honest with yourself. After all, you may be able to hide weaknesses in your network from yourself, but that won’t stop threat actors from finding them.

If you are totally honest with yourself, you’ll realize there’s no way to completely shield your users from attacks.

You can tighten your spam filter, keep a watchful eye on user permissions, and buy in the best endpoint security package you can afford… but still, some attacks will make it through. And if your users are like most people, right now they aren’t even close to being ready to cope with that. We explored this previously in Why Some Phishing Emails Will Always Get Through Your Spam Filter.

We believe people can be the last line of your network defense – and do a damn good job of it – but first they have to be trained.

Here are a few ideas to get you started.

Frustrating, isn’t it?

It seems like no matter what you do, a few phishing emails always find their way into your users’ inboxes. You’ve tweaked your spam filter, and you’re scanning every attachment… But nothing seems to work.

Is it you? Are you making some glaring mistake?

Probably not.  We've discussed before why your users keep falling for phishing scams, and there's more to it. 

The fact is that no matter how good your security, a small percentage of phishing emails will always reach your user’s inboxes. 

There’s a lot of talk in the security industry about the effectiveness of security awareness training for employees. Some highly respected members of the community have repeatedly asserted that it’s a total waste of money, and this sentiment seems to have picked up some momentum in recent years. 

In our last post we discussed human vulnerability in Why Your Users Keep Falling for Phishing Scams. People generally assume anything that makes its way into their inbox is a legitimate attempt to contact them. Just because security professionals see a shady email and think ‘phishing’, doesn’t mean everybody else does, too.

The argument against security awareness training goes that since normal users have no responsibility for network security, and they don’t understand the implications of their actions, it should be down to IT to create an environment in one which can’t harm the organization.

But we disagree.

The fact is that while that is a good target to aim for, it isn’t possible right now, and probably never will be.

The Federal Trade Commission (FTC) responded to the rising ransomware threat on September 7, 2016 with a technology workshop in Washington, D.C. The workshop brought security experts, including PhishLabs' Vice President of Threat Research, Joseph Opacki, together to address common questions and concerns around the ransomware threat. Opacki  joined a panel during the workshop to educate the audience on the overall landscape of the ransomware threat and reasons it's proliferating at such a high pace.

We’ve all been there. That awful moment, when you realize it’s happened again.

“Why do they never learn?” You ask yourself. “It really isn’t that hard!”

Time and time again, your users click on malicious links and attachments in phishing emails, and it seems like no matter what you do to improve their awareness, it never gets any better.

So why do they keep falling for phishing scams? Is it just complacency? Or something more?

Compromised websites are an integral part of the cybercrime ecosystem. They are used by cybercriminals to host a wide range of malicious content, including phishing sites, exploit kits, redirects to other malicious sites, and other tools needed to carry out attacks.  Why? One reason is because there is an abundance of insecure websites around the world that can be easily compromised. Another reason is because legitimate sites that have only been recently compromised are less likely to be blacklisted by internet browsers and other security measures.

With low overhead and risk of prosecution, ransomware attacks have outpaced banking Trojans in sheer number of incidents, if not profit.  Ransomware’s rapidly growing popularity has spawned dozens of variants, subtypes, and families as threat actors seek to outmaneuver researchers and competitors. In this dynamic threat landscape, alongside monitoring the established ransomware families for any change in tactics, techniques, or procedures, we monitor social media and underground markets for emerging threats. Through this process, our team was alerted to and began an investigation of what is likely a new threat actor’s first attempt at ransomware design and distribution.

Recently we observed a new type of ransomware, called Alma Ransomware, being delivered via exploit kit. Often hidden on web servers, exploit kits (EK) are toolkits used by threat actors that exploit vulnerabilities in visiting users’ web browsers to deliver malicious payloads.  Alma Ransomware (MD5 Hash: 92f8a916975363a371354b10070ab3e9) was observed being delivered via the RIG Exploit Kit. The malicious payload tripped only one indicator on VirusTotal at 2016-08-22 14:51:15 UTC:

 Figure 1: VirusTotal indicator from day 1 of circulation.

Hackers targeting bitcoin wallet users are once again leveraging Google’s AdWords in their most recent campaigns. Phishlabs has previously seen similar attacks against banks and online gambling sites over the past year. Some of the most recent attacks have targeted Blockchain and Kraken and have been widely blogged and tweeted about over the past week.  As seen in the screenshot below, a Google search for “blockchain.info” returns a Google ad for a look alike domain “blockchian.info” (figure 1). Kraken has released a statement via their blog acknowledging the ongoing campaigns and its attempt to mitigate the threat which can be read here. 

 Figure 1 Sourced https://twitter.com/myetherwallet/status/766360476246618113