Scam of the Week: Massive DocuSign Phishing Attacks
DocuSign has admitted they were the victim of a data breach of customer email addresses only that has led to massive phishing attacks which used the exfiltrated DocuSign information. Ouch. So here is your Scam of the Week.
They discovered the data breach when on May 9, 15, and 17 DocuSign, customers were being targeted with phishing campaigns. They now are advising customers to filter or delete any emails with specific subject lines. We do not repeat them here, because this newsletter might be filtered out, but you can see them at the blog, together with screenshots:
https://blog.knowbe4.com/scam-of-the-week-docusign-phishing-attacks
The campaigns all have Word docs as attachments, and use social engineering to trick users into activating Word’s macro feature which will download and install malware on the user’s workstation. DocuSign warned that it is highly likely there will be more campaigns in the future.
I suggest you send the following to your employees. You’re welcome to copy, paste, and/or edit:
“Hackers have stolen the customer email database of DocuSign, the company that allows companies to electronically sign documents. These criminals are now sending phishing emails that look exactly like the real DocuSign ones, but they try to trick you into opening an attached Word file and click to enable editing.
But if you do that, malware may be installed on your workstation. So if you get emails that look like they come from DocuSign and have an attachment, be very careful. If there is any doubt, pick up the phone and verify before you electronically sign any DocuSign email. Remember: Think Before You Click.”
Let’s stay safe out there.
Warm regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.
Remember the James Bond movie Goldfinger? It was based on Ian Fleming’s seventh novel, which first featured the timeless quote: “Once is happenstance, twice is coincidence, the third time it’s enemy action”. – Auric Goldfinger
First, a few months ago, very much under the radar, attackers used spoofed emails to impersonate an executive of Interscope Records, the record label owned by Universal Music Group.
This CEO fraud targeted two music-related businesses: September Management, and Cherrytree Music Company, and social engineered employees to send them Lady Gaga’s stem files — which are the files used by music engineers and producers for remixing and remastering.
Using tried-and-true tradecraft, the bad guys figured out that high-profile entertainment targets are supported by an ecosystem of softer targets which do not have the same resources and security technology. Remember that Target was hacked via their HVAC contractor?
Next, last month criminal hackers leaked unreleased episodes of “Orange Is the New Black” after they penetrated Larson Studios, one of Netflix’ postproduction partners, and unsuccessfully tried to extort Netflix. They demanded a ransom of 30 bitcoins, now roughly 60,000 dollars.
A source from inside the industry told me that there are at least 50 other titles that have been exfiltrated, belonging to Larson’s other clients, including ABC, Fox, National Geographic and IFC.
Third, news broke that Disney got pwned and Pirates got pirated. Their CEO Bob Iger warned that hackers are holding the unreleased copy of “Pirates of the Caribbean” movie. The hackers are demanding a massive amount of ransom in Bitcoin and threaten to release the movie if their demands are not met.
No Intent to Pay
For now, for as far as we know, Hollywood studios have presented a united front and stated they have no intention of paying any ransom — assumed to be a business decision based on a risk assessment how much they might lose in revenue and viewers — despite a “handsome business proposal” by the hackers: Pay a ransom, or see files deleted, sold or published online.
So, Who Is Next?
Losing a movie file that cost 200 million to make is obviously a disaster, but a release through torrent still only reaches a small part of the net, and mostly people who might not cough up the money to see the movie in the first place.
But what of the crown jewels in your own organization? If those would be sold to the competition in China who then bring your product to market for 30% of your price, that would mean massive losses. This has been happening numerous times. And in most of the cases, it was done through spear phishing attacks using social engineering.
Your Employees Are Your Last Line of Defense
Bad guys go for the low-hanging fruit. If you want to spend less time putting out fires, get more time to be proactive, and get the things done you know need to be done, step employees through effective security awareness training.
It will help you prevent this kind of disaster or at least make it very hard for the bad guys to social engineer employees. Find out how affordable this is for your organization. Get a quote now:
https://info.knowbe4.com/kmsat_get_a_quote_now-chn
“The Best Cybersecurity Investment You Can Make Is Better Training”
The Harvard Business Review has an excellent article which is great ammo to get budget for new-school security awareness training. They started out with:
“As the scale and complexity of the cyber threat landscape is revealed, so too is the general lack of cybersecurity readiness in organizations, even those that spend hundreds of millions of dollars on state-of-the-art technology.
Investors who have flooded the cybersecurity market in search for the next software “unicorn” have yet to realize that when it comes to a risk as complex as this one, there is no panacea — certainly not one that depends on technology alone.” […]
“In short, there will be some investment required in enhancing personnel readiness. But it can be cost effective over time, particularly when compared to implementing cutting-edge cybersecurity technology that may become obsolete.
To be clear, technology is a critical piece of the cybersecurity puzzle, but just as with a car containing all the latest safety technology, the best defense remains a well-trained driver.”
I suggest you send this link to your C-level execs:
https://hbr.org/2017/05/the-best-cybersecurity-investment-you-can-make-is-better-training
I Was Interviewed on NPR: “Ransomware — Should Businesses Pay Up?”
National Public Radio reported on ransomware and if you should pay or not after getting hit with a ransomware infection:
“Never, ever, ever give in to ransomware,” said Liviu Arsene, a threat analyst at BitDefender. “If you give in once, probably hackers will come in again and again, and try to extort money from you. Once there’s blood in the water, definitely sharks will come.”
And no one wants sharks. That “don’t pay up” advice is what you’re going to hear from law enforcement. And it’s advice that a lot of experts are going to give in a situation like Disney’s: Don’t negotiate with terrorists.
But Stu Sjouwerman, from the cybersecurity training firm KnowBe4, said when hackers have locked up your data, it’s not always cut and dry. “It’s a business decision,” Sjouwerman said. There’s a fate — potentially worse — than those circling sharks.
“If you find that your backups failed, and you find that you’ve lost months of work, which would potentially even shut you down as an organization, it’s a no-brainer to pay the ransom,” Sjouwerman said. “And many people do.”
At the top of the page, you can listen to the 2-minute segment:
https://www.marketplace.org/2017/05/16/business/hackers-are-holding-businesses-ransom-pay-or-not-pay-question
Live Webinar: Best Practices and Future Direction of Security Awareness Training
While reported numbers fluctuate from industry study to industry study, they all agree on one thing: cybercriminals are successfully and consistently exploiting human nature to accomplish their goals. Prudent security leaders know that security awareness and training is key to strengthening their ‘human firewall’ – but they often don’t know where to start.
Join security awareness expert Perry Carpenter, Chief Evangelist and Strategy Officer for KnowBe4 and former Gartner Research Analyst for this live webinar “Best Practices and Future Direction of Security Awareness Training”. We will discuss emerging industry trends and provide the actionable information you need to train your last line of defense, your employees.
Perry will cover these topics:
• Practical security awareness and behavior management tips
• Outline how and where tools are helpful
• Discuss emerging industry trends
•How to create a ‘human firewall’
Webinar Date/Time: Thursday, May 25, 2017, at 2:00 PM EDT
Register Now! https://register.gotowebinar.com/register/4096453053252124163
Not able to make that time? Grab this whitepaper instead:
Endpoint Protection Ransomware Effectiveness Report
It’s estimated that in 2016, the cost of ransomware was over 1 Billion dollars, making it the most lucrative criminal business model in the history of malware. Every organization is at risk and with over 33% of businesses experiencing an attack in the past year, it’s more important than ever to have adequate protection in place.
For this report, we surveyed businesses across all industries to find out what they’re doing to defend themselves. We thoroughly examined who is at risk, what the scope and cost of an attack is, how organizations are protecting themselves from ransomware, and the effectiveness of their endpoint protection.
The results might surprise you! Download here:
https://info.knowbe4.com/endpoint-protection-ransomware-effectiveness