Tag Archives: First line of defense

German firms lost millions of euros in ‘CEO Fraud’ scam: BSI

23 July 2017

The report ‘German firms lost millions of euros in ‘CEO Fraud’ scam: BSI’ published in the Reuters Technology News on 10 July 2017 makes me really worry. Whaling, a special form of spear phishing aimed on corporate executives, is not new at all. For some samples see this slide show on CIO.com.

It appears to me that in Germany the first line of defense, the employees, are not adequately prepared in the detection and the correct handling of phishing attacks, even though anti-phishing training is the most effective and cost efficient defensive measure in the fight against all kinds of phishing.

In addition, some rules are helpful and should be communicated to all employees:

  1. Users should never act on a business request from a company executive if the email is not signed with a company owned and valid email certificate.
  2. Users should never trust an email of a business partner if it is not signed with the partners valid email certificate.

Technical implementation is very easy, thus even SMB can use email signing in daily communication.

Have a great week.

Webinar Digital Extortion: Will you pay the ransom?

27 July 2016

I attended the IBM Security Webinar “Digital Extortion: Will you pay the ransom?” this evening. Limor Kessem talked about the history of and the latest trends in ransomware. Robert Lelewski provides an overview of the means to guard against and to recover from ransomware attacks.

Robert Lelewski showed a really remarkable slide:

Train users to beware of threats

Train users to beware of threats

The message is simple: Your users are the first line of defense. User training is the most effective means of combating cyber-attacks.

For more details, see the IBM ransomware landing page.

Have a good day.

Don’t ‘Enable Macro if Data Encoding is Incorrect’!

30 January 2016

If you open a word document attached to an email and you see the message ‘Enable macro if data encoding is incorrect’ you are well on the way to become the victim of a cyber-attack:

Dridex malware requests to lower macor security

Dridex malware requests to lower macro security

Word blocked the auto-open macro in the document to prevent its execution. In the case of document ‘Fax 49 2232949992120160128232732.doc’ it’s about the trojan ‘W2KM_DRIDEX.BM’. Besides other malicious activities the macro downloads and executes the program g545.exe from a server hosted in the Russian Federation.

So far everything went well. Word was well secured and blocked the auto-open macro from executing the payload. The best way to go ahead is to close word and drop the email and the downloaded attachment.

But if you comply with the request and lower the macro virus settings in word you will be definitely tricked.

As always the first line of defense is a well-trained user who follows the commandments

  • ‘Think twice before you click on whatever links or attachments’,
  • ‘Never lower your security settings upon requests of whatever sources’ and
  • ‘Disable all macros with notification’ in Word Trust Center, section Macro Settings.

In the worst case it may come to a blackout in a country, done in Ukraine 23 December 2015.

Have a good weekend.

Some thoughts on ‘Dridex Reminds Us: You Can’t Prevent What You Can’t Detect’

28 March 2015

The latest Bromium post is really worth reading. Dridex is a further development of the Cridex Trojan. Dridex’s only goal is to steal your online banking credentials, to allow cyber-criminals to empty your bank accounts.

Dridex is a real beast. The developers hide the payload in Microsoft Office AutoClose macros to lever out the protection through the inbuilt sandboxing technology. If properly configured protected mode is a challenging task, but the bad guys had taken even this into account.

Michael Mimoso writes on threat post: ‘While macros are disabled by default since the release of Office 2007, the malware includes somewhat convincing social engineering that urges the user to enable macros—with directions included—in order to view an important invoice, bill or other sensitive document.’

The first line of defense, user awareness, has failed spectacularly! If someone tries to persuade you to disable protected mode for viewing an email attachment, it is very likely that this is a cyber-attack.

Task virtualization would have protected the user in this case. But even the task virtualization has its limitations. From my point of view, well-trained users, who are aware of the dangers of the internet, are the first line of defense today. Technology supports them to stay secure

… unless the users deactivates or the attackers bypasses them.

Have a good weekend.