blog-slider.jpg

KnowBe4

Security Awareness Training Blog


Keeping You Informed. Keeping You Aware.

Seagate Gets Initial OK For 5.7 Million Employee W-2-Phishing Settlement

A California federal judge gave his initial blessing Thursday to Seagate Technology LLC’s settlement that includes services valued at 5.75 million dollars and resolves class-action litigation over a 2016 phishing incident that allegedly affected about 12,000 employees and their close relatives.

Advertising Intelligence—ADINT—Can Be Misused For Social Engineering

You are probably aware of the terms SIGINT (signals intelligence, like radio interception) and HUMINT (human intelligence, like espionage). There is a new term coined by the University of Washington called ADINT which shows how anyone can track what apps an employee uses and where they have been—for just $1,000—and can be used for social engineering attacks.

A team of computer science engineers at UW learned that obtaining an employee's smartphone’s mobile advertising identification, known as a MAID, would open the door to all the information advertisers use to serve promotional materials. The study is titled "Using Ad Targeting for Surveillance on a Budget."

"It’s not a particularly high bar to entry for a very, very highly targeted attack," says Adam Lee, a professor at the University of Pittsburgh who reviewed the University of Washington study. The University of Washington will present its findings in Dallas on Oct. 30 at Association for Computing Machinery’s Workshop on Privacy in the Electronic Society.

The First Recorded Statement Of Security Awareness Training?

 

I was just sent a link to video of Kevin Mitnick's testimony before a congressional committee of March 2, 2000 where he explained how he was able to hack into dozens of large organizations including the IRS using social engineering as his only tool.

The sender asked: "Stu, is this the first recorded statement on, or possibly the genesis of, Security Awareness Training?"

Excellent question and I am asking all subscribers the same thing. Are you aware of any earlier mention of this in any form? Email me at stus@KnowBe4.com please.

Lower Cybercrime Costs! Attack Humans...

This could be a headline on a dark web site for cyber criminals. And it would be correct.

Our colleagues at Wombat did some digging and came up with relevant research you should know about.

The Ponemon Institute recently published their 2017 Cost of Cyber Crime Study and they delivered some sobering statistics that I will not bore you with. The upshot is that we are losing the war on cybercrime. The study noted that the attackers are getting smarter and more organized, and are “finding it easier to scale cybercrime globally.”

Mobile Phishing Attacks Jump, Financial Industry Is Biggest Target

Jason Koestenblatt at Enterprise Mobility Exchange wrote: "Thanks to the amount of time employees are spending online to get work done, hackers have a veritable treasure trove of opportunities and touch points to gain entry into an enterprise’s data and sensitive information.

That’s why the number of breaches continues to grow each year, and one of the methods in which they’re accomplished is through phishing. In a new report released by PhishLabs, data from Q1 to Q2 in 2017 shows a staggering rise, and the likelihood that it will slow down is slim.

In the study, it was learned that overall phishing volume grew 41% between the first and second quarters of this year, and the financial industry was the largest target, making up 33% of all phishing threats between April and June of 2017.

CyberheistNews Vol 7 #41

Ransomware Spear Phishing Attack Used To Hide 60M Cyberheist

In a classic "divert their attention", the Taiwan Far East Bank was first attacked with spear phishing emails that pointed to malicious executables, which were clicked on by employees. These .exe files gathered the credentials of the employees and turned off the security software that was used in the bank.

Only then, the attackers got access to the systems that allowed 60 million dollars in transactions. And to hide their activity, the bad guys kicked off pseudo ransomware during the whole process. The Hermes strain encrypts more files than usual and slows the infected workstation down to a crawl. There is also no way to decrypt the files and no ransom notes were left.

KnowBe4 Customer: "I’m not happy at all. More like ecstatic."

In our series "What customers say about us" here is another email with feedback that I got when I asked if they were a happy camper. We will let the customer speak for himself:

"I’m thankful I ran into Perry Carpenter at the June Gartner Summit. Otherwise, I would not have engaged with Knowbe4.

"Within weeks of becoming customers, we ran a baseline phishing test, put in place core training, and plans for 2018. The system has proven easy to use and has capabilities we wanted, but could never find elsewhere. We abandoned SANS as their system was too hard to use, and lacked features.

"The level of innovation in your platform is remarkable, and so is the level of value. Your product team seems to understand what a security team wants and needs. That kind of focus is rare in my experience, and I hope it continues!

New Worry For CEOs: A Career-Ending Cybersecurity Breach

Corporate chiefs get more involved in defense against hackers, fearing a cybersecurity breach could cost their jobs, hurt their businesses.

Vanessa Fuhnmans wrote an excellent heads-up for CEOs in the Wall Street Journal. I recommend you send your CEO a link to this article if they have not seen it yet. (Remember that WSJ does have a paywall)   Link to WSJ Article

"Cyber threats have zoomed to the top of chief executives’ worry lists for fear a data breach could cost them their jobs and take down their businesses.

Watch Out For This New Amazon Phishing/Phone Password Scam

 

So here’s a new one: a spoofed Amazon email claiming that Amazon has detected an unauthorized attempt to reset the password on the recipient’s account. A six digit code is provided along with instructions to call a phone number to “verify your identity.” A copy of this phish is above.

Subscribe To Our Blog

Phish Your Users




Get the latest about social engineering

Subscribe to CyberheistNews