CyberheistNews Vol 10 #16 [Heads Up] Killing Your Zoom Meeting IDs Is Only Suppressing the Real Problem

CyberheistNews Vol 10 #16
[Heads Up] Killing Your Zoom Meeting IDs Is Only Suppressing the Real Problem

Zoom has been under a lot of scrutiny lately, and it's commendable that the vendor has been working through as many security issues as it has. With great growth and visibility comes great scrutiny, and as Zoom has experienced an unprecedented uptake of users, more eyeballs have been on the platform poking holes in it.

The media has been rife with stories about various Zoom security holes, vulnerabilities, and insecure default settings to the extent that many users have been hesitant to use Zoom. This includes teachers trying to remotely educate their students, families keeping in touch, and many others.

To its credit, Zoom has not been ignoring these concerns and have been quite transparent. Eric S Yuan, founder and CEO of Zoom posted a message to all users, which highlighted many of the challenges and initiatives the company is taking.

Furthermore, the company made some changes to its user interface and display. These improvements include making security features easily accessible, such as locking the meeting, enabling a waiting room, removing participants, and restricting participants’ access.

All of this is very good, and the company should be commended for its efforts during these trying times.

However, one change stuck out to me the most – the removal of the meeting ID from the toolbar. The reason being that when people have shared screenshots of their virtual meetings, bad guys can use the meeting ID to try and join and ‘Zoombomb’ the meeting.

While I’m not against the removal of the meeting ID from the toolbar, it probably didn’t serve much purpose, if I’m honest. But I do see it as treating the symptom and not the cause.

As my learned colleague Roger Grimes states in his book ‘A Data-Driven Computer Defense', many organizations do not appropriately align computer security defenses with the threats that pose the greatest risk (i.e., damage) to their environment.

In other words, we need to be better at understanding the root cause of our threats and applying countermeasures to those instead of playing an elaborate game of whack-a-mole where we try to fix every issue, no matter how large or small.

With Zoom, the security or privacy risk wasn’t actually presented from the meeting ID being displayed in the title bar. The real threat is user behavior.

The meeting ID didn’t magically post itself onto social media. Users took a photo of their computer screen which, amongst other things contained the meeting ID, and posted it onto social media.

What happens when someone posts a photo on social media where the whiteboard in the background has some sensitive information written on it? Do we demand that whiteboard manufacturers build a capability to clear the board when it detects a photo is being taken? No, that would be ridiculous – yet that is what we tend to expect from technologies.

Rather than trying to convince every software manufacturer to remove sensitive information from the toolbar on the off chance that a user may take a photo and post it online, wouldn’t it be easier to provide security awareness training to users so that they can identify potential risks, and make smarter security decisions themselves? 
-- Javvad Malik, KnowBe4 Security Awareness Advocate.
Kevin Mitnick presents The Art of Invisibility: Important New Privacy Concerns for Your Quickly Evolving Remote Workforce

Corporate privacy concerns are more paramount right now than ever before. Organizations are being forced to maneuver a new world of security and privacy issues related to a remote workforce, evolving hardware/software needs, and employee access policies. Kevin Mitnick knows this world well. In fact, that's the topic of his book, The Art of Invisibility.

Join us for this exclusive webinar as Kevin Mitnick, KnowBe4's Chief Hacking Officer, and Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, enter into an eye-opening discussion of the expected and unexpected risks this workforce evolution brings.

They will discuss topics including:
  • Privacy concerns around employees using personal devices for business purposes
  • Security issues with various operating systems, mobile devices, and the Internet of Things
  • The reality of "deep privacy" and how tied together devices, systems, and surveillance really are
  • Shocking new demonstrations that will change the way you think about privacy
  • Why new-school security awareness training is more critical than ever before
Find out what you need to know to keep the bad guys from accessing your organization's critical data! Plus, earn CPE Credit for attending.

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Date/Time: TOMORROW, Wednesday, April 15 @ 2:00 pm (ET)

Save My Spot!
Share the Red Flags of Social Engineering Infographic With Your Employees

Social engineering and phishing are responsible for 70% to 90% of all malicious breaches, so it’s very important to keep your employees at a heightened state of alert against this type of cyber attack at all times. You want an organizational culture to have a healthy level of skepticism which can spot and report potential phishing attacks before they’ve had a chance to be successful.

It can be harder during times of Covid-19 “work-from-home” rules to get employees to pay attention to security awareness training. Different people learn in different ways. Some people like to see videos, others learn the most by reading, and a growing number of people like their education gamified.

I’m a big believer of sending out the occasional email blast as part of a normal training routine which shares up-to-date training. You can select from any of our KnowBe4 blog entries. The blog is updated many times a day with current events. We have some specific COVID-19 resources on the blog most days and dedicated resources.

But perhaps the most personally requested single piece of education I get asked for repeatedly after every nearly every webinar I do is KnowBe4’s Red Flags of Social Engineering poster. Note: It comes in 32 localized languages, but only the English version is free to the public.

Continued with link to PDF:
[Live Demo] Identify and Respond to Email Threats Faster With PhishER - Plus, Get a First Look at PhishRIP

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats — and just as importantly — effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us Wednesday, April 22 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft Office 365
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s machine-learning module
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, April 22 @ 2:00 PM (ET)

Save My Spot!
[InfoGraphic] The 2020 Q1 Corona Virus Related Phishing Attacks Are up a Massive 600%

KnowBe4 reports on the top-clicked phishing emails by subject lines each quarter in three different categories: subjects related to social media, general subjects, and 'In the Wild' - we get those results from the millions of users that click on our Phish Alert Button to report real phishing emails and allow our team to analyze the results.

COVID-19 Related Attacks Up 600%

The second most popular message of the entire quarter was a fake CDC alert about Coronavirus cases. Social media messages are another area of concern when it comes to phishing. The past quarter's top-clicked social media email subjects reveal new login alerts, password resets and someone may have accessed your account messages are coming onto the radar.

Password Management Continues to Entice Clicks

Aside from social media-related messages, general subject lines related to password management were highest on the list once again. Another common theme is HR-related messages that mention organizational changes that potentially impact the daily lives of employees. Popular in-the-wild attacks – those that were real phishing emails and not KnowBe4 templates – were focused heavily on subjects around the Coronavirus and working from home.

See the Infographic With All Top Messages in Each Category for Last Quarter:
Can You Be Spoofed? Find out for a Chance to Win a 500 Dollar Amazon Gift Card

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against unless your users are highly ‘security awareness’ trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. Plus, if you’re in the US or Canada, you'll be entered for a chance to win a 500 dollar Amazon Gift Card! *

Find out now if your email server is configured correctly, many are not!

Try To Spoof Me!

*Terms and Conditions apply.

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Here is a Public Service Announcement for runners and bikers. COVID-19 spreads through the air outside with shocking ease, European scientists show:
Quotes of the Week
"The spirit is the true self. The spirit, the will to win, and the will to excel are the things that endure."
- Marcus Tullius Cicero, Roman Statesman (106 BC- 43 BC)

"Times and conditions change so rapidly that we must keep our aim constantly focused on the future."
- Walt Disney, Animator (1901 - 1966)

Thanks for reading CyberheistNews

Security News
Hackers Have Hit *Every* Country on Earth With Coronavirus-Themed Cyberattacks

Cyber criminals have launched coronavirus-themed cyberattacks in 241 countries and territories, new research from Redmond showed. "Every country in the world has seen at least one COVID-19 themed attack," they said on their blog Wednesday.

Rob Lefferts, corporate vice president of Microsoft 365 Security and the blog's author, told Business Insider that the cyberattacks follow the pandemic around the world geographically.

"What you're seeing in the map is that the success of these attacks is a direct correlation to the size of growth of the pandemic," said Lefferts. "Countries with the highest outbreak numbers are also the most affected by these COVID-themed lures. Confusion, concern, and fear are driving people to click and that's what attackers are taking advantage of."

Microsoft observes: "Every country in the world has seen at least one COVID-19 themed attack (see map at blog). The volume of successful attacks in outbreak-hit countries is increasing, as fear and the desire for information grows. Our telemetry shows that China, the United States, and Russia have been hit the hardest.

They also confirm what our own researchers have shown, that there is a change in lures: attackers of all sorts are changing their campaigns to COVID-19 themed templates. Redmond also goes into attack percentages, explains it's not all that bad, and how they protect against these threats.

Recommended reading:
Be Wary of Unsolicited Text Messages

Mobile phishing attacks present unique challenges for users, according to Apurva Kumar and Kristin Del Rosso from Lookout. On the CyberWire’s Hacking Humans podcast, Kumar and Del Rosso described a recent mobile phishing campaign that targeted customers of major banks in North America.

The attackers used a phishing kit that enabled them to send out thousands of malicious text messages simply by entering a list of phone numbers.

“This particular attack is actually very typical of what we see on a regular basis, like, maybe two or three times a week,” Kumar explained. “It's very easy to use and deploy by the attacker....If I was the attacker, I would buy this phishing kit, this set of HTML files online for $10 or $15 and put them up on a website, send out links to your victims, so en masse to everybody who you can find, or bulk sets of phone numbers that you can find online.

And then once the link is with a victim, the victim would click the link and end up on that site, enter in the information, and suddenly, all of your credentials have been compromised for your bank account.”

Del Rosso noted that the smaller size of a mobile device can affect how easily a user can spot a phishing attack, because there are less details on the screen.

“And so this is interesting because on a mobile device, the screens are often smaller,” Del Rosso said. “People tend to trust it more. You might not see that the URL at the top isn't that legitimate bank's URL. A lot of things that you would, on a desktop, look for in a phishing campaign, you wouldn't necessarily be as quick to observe on your phone, which is why this is also effective.”

Del Rosso also pointed out that users often feel that their phones are more secure than their computers. “People are also naturally much more trusting because you have this device in your hand, in your pocket at all times, and you have personal connections through that device to your Instagram or your contacts, your pictures,” she said.

“And so you might be wary of odd emails or you know about malware for computers, but people tend to forget that your phones aren't always this safe little place that you can just look at and enjoy some pictures.”

While malware-based attacks are less prevalent on mobile devices than they are on desktop computers, social engineering attacks are common and effective on all platforms. Kumar concluded that education is the key to preventing these attacks from succeeding.

“The education is absolutely paramount, especially in terms of the mobile field,” she said. “You have to understand how your mobile works and how you react to it.... It's really just user education. It's more than just that boring course that you have to do at work for safety protection or, like, security protection; it's really about understanding, OK, well, this is a potential vector for somebody trying to get at me, and I should be wary of that every single time I get a link.”

New-school security awareness training can teach your users how to defend themselves against all kinds of phishing attacks.

The CyberWire has the story:
FBI's IC3 Publishes Alert About Cloud-based Business Email Compromise

The FBI’s Internet Crime Complaint Center (IC3) published an alert warning that criminals are exploiting cloud-based email services to carry out business email compromise (BEC) attacks. The attackers are using phishing kits that impersonate email services like Google’s G Suite or Microsoft’s Office 365 in order to compromise corporate email accounts.

Once they gain access to an account, they’ll try to request or intercept money transfers. “Many phishing kits identify the email service associated with each set of compromised credentials, allowing the cyber criminal to target victims using cloud-based services,” the statement explains. “Upon compromising victim email accounts, cyber criminals analyze the content of compromised email accounts for evidence of financial transactions.

Often, the actors configure mailbox rules of a compromised account to delete key messages. They may also enable automatic forwarding to an outside email account.”

IC3 says it’s received complaints totaling $2.1 billion in losses as a result of BEC attacks using “two popular cloud-based email services.” (The statement doesn’t specify which two services.)

“Over the last decade, organizations have increasingly moved from on-site email systems to cloud-based email services,” the alert says. “Losses from BEC scams overall have increased every year since IC3 began tracking the scam in 2013.

BEC scams have been reported in all 50 states and in 177 countries. Small and medium-size organizations, or those with limited IT resources, are most vulnerable to BEC scams because of the costs of robust cyber defense.”

The FBI notes that most of these email services have security features that can help defend against BEC attacks, but these features often have to be manually configured.

On the human side, these attacks can potentially be thwarted at several steps during the process. Ideally, the email account owner would spot the initial phishing attack and avoid having their account compromised in the first place.

Even if an account is compromised, however, employees can still prevent the attacker from succeeding by being wary of any requests involving money transfers, whether they come from a coworker or from a business partner.

The FBI recommends verifying these requests in person or over the phone. The FBI recommends implementing multi-factor authentication on all email accounts, as well as “[educating] employees about BEC scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises.”

New-school security awareness training can provide your organization with an essential layer of defense by teaching your employees how to recognize suspicious activity.

The FBI’s Internet Crime Complaint Center has the alert:
What KnowBe4 Customers Say

"I just wanted to send you a brief note of thanks again for your sticking with us to bring KnowBe4 to our organization. I knew we’d get there, and we’re very pleased with the results. Stacy is a fantastic resource. We greatly appreciate her efforts to help us gain the greatest benefit from our relationship. Stay safe, and have a great weekend!"
- T.R., Chief Information Officer

The 10 Interesting News Items This Week
    1. Australian government says it is hacking criminals who are exploiting the pandemic:

    2. New Phishing Campaign From 'FBI Director Wray' Is Hysterical:

    3. Phishing Emails Increase Fourfold in March Amid Rising Fears:

    4. 71% of Security Pros See Threats Jump Since COVID-19 Outbreak:

    5. US and UK Issue Joint Advisory on COVID-19-Related Cyber Attacks:

    6. Microsoft: Emotet Phishing Attack Shut Down an Entire Business Network:

    7. COVID-19 has changed business, but threat actors and tools remain strangely familiar

    8. Ransomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after contractor refuses to pay:

    9. US wants to ban China Telecom over national cybersecurity risks:

    10. NASA under 'significantly increasing' hacking, phishing attacks:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews