Massive 46M Dollar Cyberheist

Brian Krebs just reported on a massive 46M dollar Cyberheist. Tech firm Ubiquiti Networks Inc. disclosed this week that cyber thieves recently stole 46.7 million dollars using an increasingly common scam in which crooks spoof emails from executives at the victim firm in a bid to initiate unauthorized international wire transfers.

Continue Reading

How New Phishing Malware Rombertik Kills Your Hard Drives

InfoSec researchers at Cisco’s TALOS group discovered a strain of malware that spreads through phishing. Attackers use social engineering tactics to entice users to download, unzip, and open the attachments that ultimately result in the machine’s compromise. The strain is dubbed Rombertik, monitors everything that happens inside an infected machine’s browser and exfiltrates it to a server controlled by the attacker, similar to Dyre. However, when it detects that it is being analyzed, it takes extreme evasive action; it wipes the Master Boot Record (MBR) or home directories, trapping the machine in an infinite boot loop. The MBR is the first sector of a computer’s hard drive that the machine reads before loading the operating system. However, deleting or destroying the MBR involves re-installing the operating system, which almost always means data is lost. In what is likely a bit of sick humor from the criminals, in case it cannot get access to the MBR, Rombertik works just like ransomware and starts encrypting all files in the user’s home folder. The malware chooses a random 256-byte encryption key for each file, but none of the keys are saved anywhere, so you end up with what is effectively random, shredded bits instead of your files. After the MBR is overwritten, or the home folder has been encrypted, the computer is restarted. Only files with the extensions .EXE, .DLL, .VXD and .DRV will survive. The upshot: Rombertik begins to behave like a wiper malware sample, trashing the user’s computer if it detects it’s being analyzed. While the Cisco TALOS team has observed anti-analysis and anti-debugging techniques in malware samples in the past, Rombertik is unique in that it actively attempts to destroy the computer’s data if it detects certain attributes associated with malware analysis. What To Do About It: Ultimately, you need to practice defense-in-depth which protects your entire attack surface, but here are two tips that will mitigate attacks like this with the best bang for your IT security budget:
  • Have multiple layers (and different AV engines) of malware scanning in place; the firewall, your mail server/email gateway, and the desktop. That means a different vendor, using a different AV engine for your firewall, your mail server/email gateway and your endpoint AV. Then filter out almost all email attachment types except a few essential ones. Check out which AV engines your vendors use, because there is a lot of OEM-ing going on in the AV space, which might result in you using the same engine, but with a different label. Not good.
  • Step your users through effective security awareness training and follow up with regular simulated phishing attacks which will keep them on their toes with security top of mind.
  • Have good backup routines that are constantly tested to ensure if your data is lost that it can be easily recovered.
Contact us at SecureNation to discuss Defense In Depth, Employee Security Training, or Disaster Recovery options.

SCAM: Nepal Earthquake

More than 7,000 people dead and counting. And you can also count on cyber-criminals exploiting the disaster. What else is new. Disgusting. Scammers are now using the Nepal disaster to trick people in clicking on links, both on Facebook, Twitter and phishing emails trying to solicit charitable giving for the earthquake victims. It is typical of past disaster fraud scams in which the scammers play on the heartstrings of people that want to help the victims.  Here are some examples:
  • Facebook pages dedicated to victim relief contain links to scam websites.
  • Tweets are going out with links to charitable websites soliciting donations, but in reality included spam links or links that lead to a malware infection.
  • Phishing emails dropping in a user’s inbox asking for donations to the Nepal Earthquake Fund.
Previous disasters have been exploited like this, but the bad guys are going at it again will all guns blazing. Be wary of anything that is about the Nepal Earthquake in the following weeks. Please warn your employees, friends and family against this scam of the week. If you want to make a donation, go to the website of the charity of your choice and make a donation. Type the address in your browser, do not click on any links in emails or text you might get. THINK BEFORE YOU CLICK. Here is the FBI alert about this scam. It might be a good idea to send this link to all employees, an FBI alert usually has a bit more impact.

Fall-outs from infamous data breaches

Closed-out-of-businessIn a blog on IT Governance dated February 17, 2015, Julia Dutton (Link here) wrote about the expenses and other ramifications that companies caught with a data breach have endured and could encounter in the future. We are talking lawsuits, remediation (both for the company and its customers), more investigations, and possible firings of top executives. Any organization that does not take its IT security seriously could be find themselves paying out millions of dollars to potential victims of any data breach from their files. Lawsuits are now proceeding Target from the banks that had to pay out to replace the compromised credit cards. If you think you are safe, that is the first clue that you need more security. No one is safe anymore, about the best we can do is to do our best to protect our assets and our customers from data breaches. Like Jeff Mueller, FBI Director once said, “There are only two types of companies: those that have been jacked and those that will”.

Merchants have new cause for concern

Reuters published an article on December 5th talking about new lawsuit status that could leave merchants and other taking credit cards for payment with more concern than ever. A judge in Minnesota ruled that a class action lawsuit from banks and other financial institutions can proceed against Target. U.S. District Judge Paul Magnuson found that the banks were foreseeable victims of Target’s negligent conduct. The suit seeks to recover some of the billions the banks and financial institutions spent replacing customers’ compromised credit and debit cards. Target filed to dismiss because there was no contract in place between the card issuers and Target. Magnuson agreed with the bank’s argument that the case is about plain old negligence, not third-party contract harm. He also found that imposing a duty of care on target “will aid minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information”, a policy he found followed from Minnesota’s Plastic Card Security Act which holds merchants liable for card issuers’ cost on Minnesota business that have violated the law’s restrictions on retaining customer data. To read the full story, Click Here

Travel Smart During Spring Break

This spring break, students and families will step away from school and travel to warmer locales.

Before you jet to your spring break destination, don’t forget to pack your passport, sunscreen, and these mobile safety tips from Stop.Think.Connect.:

Keep a Clean Machine. Ensure all devices that connect to the Internet, including smart phones, tablets, and laptops, have the latest mobile security software, web browsers, and operating systems. This is the best way to defend against viruses, malware, and other online threats.

Protect Your Personal Information.Keep your phone securely locked (with a passcode) and in your possession. Disable geotagging features on your phone and applications so that your movements are not tracked and broadcast. Only give your phone number to people you know, and don’t share your friends’ numbers without their permission.

Connect with Care. While conducting online banking or shopping, look for websites that begin with “https.” These sites have taken extra measures to secure your information. Also, be wary of using public Wi-Fi or Internet hotspots to conduct sensitive online activities, such as banking and shopping.

Be a Good Online Citizen. Think before you upload photos or videos. What you put online can have consequences in the future. Ask your friends’ permission before uploading photos of them as well.

For more cybersecurity tips for those on the go, download the Stop.Think.Connect. Mobile Safety Tip Sheet.

DHS_logo This information was published by GovDelivery on behalf of the US Department of Homeland Security in a March 2014 newsletter email.

Be Aware of Online Fraud – Protect Yourself.

Online fraud is big business for criminals. The Internet Crime Complaint Center (IC3), jointly run by the Federal Bureau of Investigation and the National White Collar Crime Center, reported receiving over 289,000 complaints in 2012, which resulted in more than $525 million dollars in losses. Many long-running telemarketing and mail fraud techniques are now being used on the Internet, with criminals preying on people’s trust to bilk Americans out of millions of dollars. In addition, some criminals target older Americans or small businesses with specific scams.

Common online fraud scams include:

  • People selling items, such as automobiles, that they do not own. These transactions can take place over sites like Craigslist or eBay, with the buyer transferring money electronically and receiving no product in return.
  • Phishing and spoofing, where criminals pretend to represent a legitimate company or agency and request personal information from their targets. These attempts can include a legitimate-looking email or website. In these cases, the criminals have “spoofed” a real company’s site.
  • Nigerian letter scam, where people are offered to share in a large sum of money if they can help place this money in overseas bank accounts. Victims give criminals their bank account information and send money to the criminals to help pay for bribes and taxes with the promise of repayment.
So how can you protect yourself? Follow these tips from the Stop.Think.Connect.™ Campaign and the National Cyber Security Alliance (NCSA):
  • Think Before You Act. Be wary of “too good to be true” deals. Free money, cheap iPads, cheap cars – if a deal sounds too good to be true, then it probably is.
  • When in Doubt, Throw it Out. Do not click on links or emails that seem suspicious or are from unknown, unsolicited sources.
  • Shop Only at Reputable Online Retailers. Look for the padlock symbol or for URLs that start with “https” or “shttp.” For auction sites such as eBay, check the seller’s reviews.
  • Use Safe Payment Options. Use a credit card if possible. Credit cards have higher protection measures than debit cards. If you do become a victim of fraud, credit cards offer a better chance that you will not be liable for fraudulent charges.
If you believe you have been a victim of online fraud, file a complaint with’s online complaint form at or with IC3 at DHS_logo This information was published by GovDelivery on behalf of the US Department of Homeland Security in a March 2014 newsletter email.

How employees get around IT policies and restrictions

people n Circuitboard
Thanks to mobile devices, cloud services, mobile apps and MiFi hotspots, end users can get around even the most stringent IT policies. But how do they do it? To understand the answer to that question, it’s important to take a look at the restrictions a typical company might place on employees and contractors. That way, you can take the appropriate steps to limit the loss of control over data. Most companies have a mixture of personal and corporate-owned devices, which means there’s a mixture of IT policies that apply to each. Many businesses also have some kind of enterprise mobility management (EMM) tool to enforce those policies and monitor devices, data and apps. Some businesses even have bring-your-own-device (BYOD) or security policies that outline usage rules for employees who use their personal devices for work. Common rules that an IT department may lay out include:
  • only allowing employees to connect devices with a certain mobile operating system to the corporate network
  • not permitting workers to use jailbroken or rooted phones
  • prohibiting users from changing the SIM cards in their phones and tablets
  • banning specific tools and services, such as cloud vendors and MiFi hotspots
  • enforcing certain levels of encryption that let EMM tools hook into users’ devices
Despite all those IT policies and restrictions, employees want to use personal devices for work because it allows them to be more productive. Agreeing to these IT-enforced policies usually gives workers the ability to access company email, use remote desktop tools or virtualization to access their files and use company-approved apps.

How and why do employees circumvent IT policies?

Admins often give users who violate policies the benefit of the doubt because employees don’t always break the rules for malicious or vindictive reasons. Rather, workers may not even know that certain actions break a company policy. That being said, thousands of breaches occur daily, and they can cost companies millions of dollars. Breaches can occur when employees store company information in third-party cloud services or when they use a blacklisted app, jailbroken phone or other device that does not meet the company guidelines. Employees who violate policies usually do so to be more productive. For example, many companies require workers to “remote-in” to access files from a mobile device. An employee may find it easier to store those files in a personal Dropbox account and then access them from anywhere, even though that action may violate a corporate policy. Additionally, restrictions on device model and OS version can cause strife for employees who may buy a personal device based on price. If the device they choose falls below the standards that the IT department set, that employee only has a few options: get no work done, upgrade his phone to gain access to the tools he needs, or go around IT blocks.

What should IT admins do?

Today’s users are smart, and they will do what they need to so they can get work done, but there are steps you can take to combat employees circumventing IT policies. Create policies based on employees. Interview users to learn how they work, find out which devices and apps they like and then form policies around that research. When the guidelines for devices, services and applications mirror the way people really work, they won’t need to go around restrictions. For example, whitelist a note-taking app that you are comfortable with supporting, rather than blacklisting all note-taking apps. You’ll only have to manage one app, and employees can still get work done. Educate users. You might find that some employees are still new to smartphones and tablets. Education is key for these employees, and it doesn’t hurt to refresh the memories of seasoned mobile device users. Make sure workers know how to get the most out their devices, teach them about the risks of exposing company data and explain why your company’s policies are in place. Focus on data, not devices. Although you may need to create specific device guidelines so you can continue to use your EMM tools on all the devices that access your network, it’s more important to keep data safe. Operating systems change and update frequently, and it can be difficult to keep up.
This is a reprint from an article first published in February 2014 by Matt Schulz on