Subscribe to our Newsletter!

Subscribe to Blog

Follow Me

KnowBe4 Security Awareness Training Blog

Current Articles | RSS Feed RSS Feed

CyberheistNews vol2, #47


CyberheistNews Vol 2, #47

Editor's Corner


[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]cybercrime[/caption]

Top 5 Spear-Phishing Attacks Targeting Executives

Twice a year, KnowBe4 publishes the Top 5 spear-phishing attacks that are

used to lure executives into clicking on links or open infected attachments.

We recommend sending this list to your executives and give them a heads-up.

The bad guys do not discriminate, they attack businesses but also non-profits

like governments and even churches. They are using increasingly sophisticated

spear-phishing scams on executives with access to corporate financial

accounts and other high-level proprietary information. Some organizations

are under constant, 24-hour attack by foreign hackers that are after their

intellectual property, this is known as an Advanced Persistent Threat (APT).

These hackers do their research and spend time customizing their spear-phishing

emails; as a result, many recipients are fooled by the level of detail and

authentic-looking messages and websites.

Here are the most recent spear-phishing attacks that are currently making

the rounds nationwide, and which pose a significant threat to your data-

and financial security. Note that some of these attacks are used for years,

because they continue to work on uninformed people.

Number 5
The Better Business Bureau Complaint – In this scam, executives will receive

an official-looking email that is spoofed to make it appear as if it comes from

the Better Business Bureau. The message either details a complaint that a

customer has supposedly filed, or claims that the company has been accused

of engaging in identity theft. A complaint ID number is provided, and the

recipient is asked to click on a link if they wish to contest or respond to

the claim. Once the link is clicked, malware is downloaded to the system.

Number 4
The Smartphone 'Security App' – This is a 2-step attack. With minimal

research cybercriminals can find the name and email addresses of a company’s

CFO and social engineer them to click a link. That link infects the PC of

the CFO with a keylogger. This way the hacker obtains bank account data

and passwords. In case the bank uses two-factor authentication, the attacker

spoofs an email from the bank asking the CFO to install a smartphone security

app, which is actually malware giving them access to the phone. And with that,

the cybercriminals have full access to the CFO’s bank account login credentials

and at the same time control any two-factor text messages sent to or from

the CFO authorizing money transfers.

Number 3
The Watering Hole Attack – Hackers do their research on a targeted

executive, and find out which websites the executive frequents, sometimes

to discuss industry related topics with their peers, or perhaps a hobby site

the hackers learned about through the exec's social media postings. Next,

the bad guys compromise that website, and inject a zero-day exploit onto

public pages of the website that they hope will be visited by their targeted

executive. Once the exec does, their PC is infected with a keylogger and

the network penetrated.

Number 2
Free Dinner in Return for Feedback – By reviewing an executive’s social

media profiles, cybercriminals are able to determine what charities that

individual supports or does business with, as well as his or her favorite

local restaurants. The scammer will then spoof an email from a representative

of that charity, asking the exec to download a Word Doc that supposedly contains

details on an upcoming campaign or event, and promises free dinner at their

favorite restaurant as an incentive for providing feedback. When the Word doc

is downloaded the user's password is stolen – and gives hackers direct

access to the network. Here is a short video of Kevin Mitnick showing how

this type of exploit works. Take these two minutes, it's worth seeing:

Number 1
'We're Being Sued' – In this scenario, attackers dig up the email addresses

of a company’s executives and also their legal counsel (in-house or external).

They will then spoof an email from the legal counsel to the executive team,

and attach a PDF that claims to contain information about new or pending

litigation. When the recipients download and open the attachment, their

system becomes infected and the entire network is compromised.

While savvy Internet users realize they should not click links or download

attachments from unknown senders, spoofed emails and official-looking

websites trick recipients into letting their guard down. When executives

receive a time-sensitive email that appears to be sent by the Better Business

Bureau, a fellow exec, their legal counsel or an organization they support,

most won’t think twice before clicking because they trust the person they

believe is the sender. That’s what cybercriminals are counting on, and why

they’re willing to invest the time to create realistic-looking messages

from familiar sources. They’ve discovered just how effective these types

of spear-phishing scams can be.

Stepping execs through high-quality security awareness training is a must

these days:

Please Forward This Newsletter To Your Friends

There are 40,000 people getting CyberheistNews every week, but

we need to get the word out to many more, to protect everyone's

network. Please forward this newsletter to people you know, that can

benefit. Here is the link to subscribe:


Quotes of the Week

"The betrayal of trust carries a heavy taboo." - Aldrich Ames (Soviet mole in the CIA)

"I need not fear my enemies because the most they can do is attack me.

I need not fear my friends because the most they can do is betray me.

But I have much to fear from people who are indifferent."
- old Russian Proverb

Please tell your friends about CyberheistNews! They can subscribe here:


Prevent Email Phishing

Want to stop Phishing Security Breaches? Did you know that many of the

email addresses of your organization are exposed on the Internet and

easy to find for cybercriminals? With these addresses they can launch

spear-phishing attacks on your organization. This type of attack is

very hard to defend against, unless your users are highly ‘security

awareness’ trained. IT Security specialists call it your ‘phishing

attack surface‘. The more of your email addresses that are floating out

there, the bigger your attack footprint is, and the higher the risk is.

Find out now which of your email addresses are exposed with the free

Email Exposure Check (EEC). An example would be the email address and

password of one of your users on a crime site. Fill out the form and

we will email you back with the list of exposed addresses. The number

is usually higher than you think.

Sign Up For Your Free Email Exposure Check Now:


Why We Are Doing This

Some of you might remember Sunbelt Software, which from 1996 to 2010 sold

system admin and security tools for Windows Server. I am one of the two

co-founders of Sunbelt. After distributing other developer's tools for

a few years we decided to become a security tool developer in the early

2000's. Our first security product was iHateSpam, followed by CounterSpy,

and a few years later we released VIPRE Antivirus, a brand new and

low-resource platform created from scratch to integrate antivirus and

antispyware. As opposed to other antivirus solutions, VIPRE was not a

resource hog, took off like a rocket, and we soon had many thousands of

enterprise customers. Sunbelt was acquired by GFI in 2010 and the VIPRE

brand is still doing great.

However, during that time I observed one problem. The bad guys were bypassing

software-based security and went straight after the user. The moment the

end-user clicks a link or opens an attachment; the risk of infection is much,

much higher. Yes, you can try to protect your domain with URL blacklists

and other layers but those get bypassed too. The average malicious website

lives for just a few hours, and that often is not enough time to make it

in the blacklist.

The problem? The user is the weak link in IT security. The only way to

fix that issue is education and that is where I decided to focus my new

company KnowBe4. We help IT professionals to defend their networks by

educating their users about spam, phishing, spear phishing, social engineering

and malware. But that's not all. We also automated the whole process of

sending regular simulated phishing attacks to all end-users and track

who opens and who clicks. That way you can weed out the weak links

quickly and remedy the problem with some additional training, a chat

with their manager, or ultimately a visit to HR.

And how did we create this security awareness training? I partnered

with Kevin Mitnick ('The World's Most Wanted Hacker') and over an 8-month

period we distilled his 30+ year hacking experience in a 30-minute

course for employees. Consider it another security layer that these days

is super important, your 'human firewall'

The Kevin Mitnick Security Awareness Training has been extremely well

received, and you can check it out here. Read the InfoWorld Article!:


Global Phishing Survey: Trends and Domain Name Use 1H2012

The Anti Phishing Work Group just released their latest survey,

which I strongly suggest you read. For instance, APWG found that

average uptimes of phishing attacks dropped to a record low of 23

hours and 10 minutes in 1H2012, about half of what it was in late

2011, and by far the lowest since the report series was inaugurated

in January 2008. There is great data in there, here are their

major findings:

1. The average and median uptimes of phishing attacks dropped to a record

low in 1H2012, by far the lowest since we began measuring in January 2008.

2. The number of phishing attacks rose.

3. Phishers registered more subdomains than regular domain names,

while the number of domain names registered by phishers has dropped by

almost half since early 2011.

4. The number of targeted institutions has dropped; phishers continue

to target larger or more popular targets.

5. Phishers attacking Chinese institutions were responsible for

two-thirds of all malicious domain name registrations made in the world.

6. Domain name owners in South America had their web servers compromised

by phishers in growing numbers.

Here is the full report in PDF Format. Like I said, recommended reading:


The Dirty Dozen: 12 Notorious Credit Union Heists

Over the years, the credit union industry has witnessed notorious fraud

and embezzlement cases involving CEOs and their family members, credit

union members, rank-and-file employees, labor union chiefs, computer

consultants, lawyers, real estate investors, government workers and


While there has been a lot of credit union fraud cases of varying degrees,

this list focuses on what Credit Union Times believes to be the worst

of the worst cases, which we name the Dirty Dozen. The individuals

involved in these infamous heists –many of whom are still in prison –

stole a total of more than $185 million over the past 25 years. Not

necessarily high-tech cyberheists, but interesting reading from the

perspective of fraud prevention. You always learn something:


Nightmare On Database Street: 5 Database Security Horror Stories

OK, it's Halloween soon. I thought this story in DarkReading was

quite appropriate, and a fun read: "Chilling stories from penetration

testers, database pros, and security consultants in the field.

Database security may not be quite as sexy as a teenage party in a

classic horror film. But when it's done wrong, technology executives,

CEOs, and customers alike would shiver at the consequences. Don't think

so? Then read just a few of the horror stories laid out by some of the

grizzled penetration tester vets we quizzed here. Their exploits show

how scary bad database security can really be:


Get Your Free Full Copy Of 4-Star E-book 'Cyberheist'

Ben Rothke, an IT security specialist and author, recently reviewed my book 'Cyberheist' and gave it 4 stars! He ended off with:

“At just under 200 pages, Cyberheist: The biggest financial threat facing American businesses since the meltdown of 2008 is not

the definitive text or the most comprehensive one on the topic. But for those looking for a brief and easy to read overview of the

topic, with a lot of real-world advice, Cyberheist makes for a good read.”

Register Now For Your Free FULL Copy (instant PDF Download)


Cyberheist 'FAVE' LINKS:

* This Week's Links We Like. Tips, Hints And Fun Stuff.

From the unique perspective of one of its F/A 18 escort jets, here is

an extended aerial view of Space Shuttle Endeavour's final Southern

California flyover:

Dial-O-Spresso – a phone controlled coffee machine. I want one!

If you get one of these flying over your building you can kiss your

whole network goodbye!:

Bridge Against Trucks! Watch this undefeated bridge destroy dozens of

trucks and buses in the city of Durham:

Russia builds its first realistic female android. The face is quite

real but the speech is terrible. Check out the video:

Hang gliding master pilot and advanced instructor Ryan Voight doing amazing

loops, rolls and aerobatics:

In a small tractor workshop of the dusty village of Banjiehe , 55-year-old

farmer Tang Zhenping has built a prototype of a 'wind powered' car. LOL:

Brad proposes to his sweetheart Emily by recruiting 90 friends and family to perform a choreographed lip dub on the shore of Lake Michigan: