Security Awareness Training Blog

Keeping You Informed. Keeping You Aware.

New KnowBe4 Feature: Vulnerable Browser Plugin Detection

How Can I See If My Users Have Vulnerable Browser Plugins Installed?

Within your console, you can automatically detect what vulnerable plugins any clickers on your phishing tests have installed in their browsers. This feature is enabled as part of our Platinum subscription level.

How does it work?

Information about vulnerable plugins your users have installed on their browsers is gathered automatically during a phishing campaign. After you set up a phishing campaign, once a user fails your test and arrives to a landing page, our landing page will gather information on what plugins are installed on that user's browser. We look at the results and compare them to a database of known vulnerable plugins.  

Don’t Miss The May Live Demo: New-school Security Awareness Training

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security. 
Join us on  Wednesday, May 11, 2016, at 2:00 p.m. (EDT) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform to see the latest features and how easy it is to train and phish your users:

Verizon 2016 Data Breach Report: "Phishing Tops The List Of Increasing Concerns"

Verizon yearly does a comprehensive report on security and data breaches. It is excellent ammo to get budget approval for new-school security awareness training.

Why? Hundreds of security threat reports come out every year from all kinds of IT security companies. Most of these reports focus on a single type of threat that the author of the report conveniently offers protection against, and basically are thinly veiled marketing pieces.

Verizon's Data Breach Investigation Report is different. They create it together with 67 other organizations. To name a few well-known participants: the U.S. Secret Service, the U.S. Emergency Computer Readiness Team, the Anti-Phishing Working Group, Kaspersky Lab, Cisco Security Services, EMC and many others. The 85-page report covers many areas of security for which Verizon doesn't sell products. I'm highlighting their insights about phishing.

[ALERT] 2016 Is A Ransomware Horror Show. Here Is The New Roundup!

If you've been in the IT trenches over the past year, you've probably noticed the announcements of new strains of ransomware are accelerating.

The research team at Proofpoint just published a blog post that confirms those impressions. It's not your imagination. Ransomware has indeed exploded, especially since the start of 2016. And just days before Proofpoint's blog post, the FBI went public with yet another warning over the threat of ransomware.

The Phishing Attack That Came Out Of Zendesk

Yesterday, April 25 2016, we encountered a new phishing email being delivered through Zendesk.

The credentials phish itself is a straightforward social engineering attack. The email body tells your employee that someone named John is sending them a file through a file-sharing service called ShareFilz. Users who click the supplied download link are taken to spoofed Google Docs login page hosted on the domain The user's email address is prepopulated in the login form, and any password will be accepted.

Scary New CryptXXX Ransomware Also Steals Your Bitcoins

Now here's a new hybrid nasty that does a multitude of nefarious things. Proofpoint researchers found that it was built by the same cyber mafia that's behind the Reveton malware. A few months ago the 800-pound Dridex cyber gang moved into ransomware with Locky, and now their competitor Reveton follows suit and tries to muscle into the ransomware racket with an even worse criminal malware multitool. 

At the moment CryptXXX spreads through the Angler Exploit Kit which infects the machine with the Bedep Trojan, which in its turn drops information stealers on the machine, and now adds professional grade encryption adding a .crypt extension to the filename.

Scam Of The Week: Secure Document Phishing Attacks Trap Employees

In this Scam Of The Week we are warning against a new wave of phishing scams. In the industry this is called the "secure doc" theme. It's getting very popular with the bad guys. We see a spike of malicious ones coming in at the moment.

There are active phishing campaigns both using fake DocuSign and Secure Adobe PDF attachments trying to trap employees into opening them up. One user reported receiving one of these, with the "from" address spoofed as coming form their own attorney. That's a nasty form of spear-phishing.

It is also interesting to see that "secure doc" emails are one of the most misflagged categories of real emails that we see. Users have trouble figuring out whether a "secure doc" email is real or a phish -- even when dealing with secure document delivery services that are used/contracted by their own employers.

Send your users a heads-up

Scam Of The Week: Prince Last Words On Video

Today, news broke that Prince Rogers Nelson was found dead in his home in Minneapolis at age 57. He was found unresponsive in an elevator and was declared dead shortly after. He performed in Atlanta last week as part of his "Piano and a Microphone" tour, a stripped down show that has featured a mix of his hits like "Purple Rain" or "Little Red Corvette". 

This is a celebrity death similar to Robin Williams that the bad guys are going to exploit in a variety of ways. You have to warn your users right away that a series of scams are underway using the Prince death as social engineering trick. Looking at earlier celebrity deaths, there will be scams that claim to show Prince's last words on video.

Subscribe To Our Blog

Phish Your Users

Posts By Topic

View All

Get the latest about social engineering

Subscribe to CyberheistNews