CyberheistNews Vol 10 #21 [Heads Up] World's Largest Sovereign Wealth Fund Falls for 10 Million Social Engineering Attack

CyberheistNews Vol 10 #21
[Heads Up] World's Largest Sovereign Wealth Fund Falls for 10 Million Social Engineering Attack

The Norwegian Investment Fund has been swindled out of 10 million dollars by fraudsters who pulled off a social engineering attack that the Norfund called "an advanced data breach" but what is commonly known as a Business Email Compromise, aka CEO fraud.

Norfund is the world's largest sovereign wealth fund—created from saved North Sea Oil revenues and currently worth over a trillion dollars— admitted that a hacker was able to manipulate the organization into routing a loan intended for a Cambodian microfinance organization into an account controlled by cyber criminals.

As a result, in March, 100m Kroner was lost. The investment fund says the money appears to have been diverted from the organization in Cambodia to Mexico. Local and international police have been brought in to investigate the matter. There are not yet a lot of details about this attack, which may have been a simple compromised email account, perhaps several pwned workstations fully under control of the bad guys, or a fully compromised network.

"The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language," Norfund said on Wednesday of the heist. "Documents and payment details were falsified."

The Register commented: "Again, this may be a generous way of saying someone got tricked into sending money into the wrong account with some forged invoices, or bogus emails, and poor invoice control."

Norfund CEO Tellef Thorleifsson is promising swift action to prevent the organization from getting conned again: "This is a grave incident. The fraud clearly shows that we, as an international investor and development organization, through active use of digital channels are vulnerable," he said.

"The fact that this has happened shows that our systems and routines are not good enough. We have [to] take immediate and serious action to correct this."

In addition to getting law enforcement involved, Norfund said it is working with the Norwegian Ministry of Foreign Affairs and its bank, DNB, to track down the thief and get the money back. PwC is also being called in to do an evaluation for the IT security setup at the fund.

"Norfund hopes that by being open about this incident we can contribute to reducing the risk of others being victims of similar fraudulent activities," the investment firm said.

Excellent course of action to take. We strongly suggest you step all employees through new-school security awareness training, which to a very high degree simply prevents disasters like this from happening in the first place.

[NEW WEBINAR] Ransomware Expert Guide: Extortion, Crisis Management, and Recovery

When you realize your organization has been hit with a ransomware attack there are a few things that need to happen. One… take a deep breath. Two… contain the damage. And three… initiate your recovery plan IMMEDIATELY.

Join us TOMORROW, Wednesday, May 20 @ 2:00 PM (ET) when Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, interviews Bill Hardin of Charles Rivers Associates for an exclusive webinar, Ransomware Expert Guide: Extortion, Crisis Management, and Recovery. Roger and Bill will take a deep dive into ransomware forensics and recovery to help you prepare for a rapid response before a ransomware attack affects your organization.

In this session you’ll learn:
  • Of the thousands of cyber events Bill has investigated what is different in 2020
  • Tactics and techniques your security team can use to hunt within your environment
  • Bill’s top 3 takeaways regarding ransomware recovery
  • How to enable your users to spot suspicious attacks before they affect you
Date/Time: TOMORROW, Wednesday, May 20 @ 2:00 PM (ET)

Earn CPE Credit for attending.

Save Your Spot:
[Eye Opener] Ransomware Group Now Demands 42 Million Not to Release Donald Trump's Files

OUCH! BBC News was one of the many major media sites who reported May 12 that a media and entertainment law firm used by A-list stars including Rod Stewart, Robert De Niro, Sir Elton John and Lady Gaga has been hacked.

The website for New York Grubman Shire Meiselas & Sacks is down and hackers claim to have 756 gigabytes of data including contracts and personal emails. News of the hack surfaced May 9 on

The law firm said in a press statement: "We can confirm that we've been victimized by a cyber-attack. We have notified our clients and our staff. We have hired the world's experts who specialize in this area, and we are working around the clock to address these matters."

Fox News reports:

Also at the KnowBe4 blog with links:
[NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster With PhishRIP

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft 365 to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.

Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us Wednesday, May 27 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft Office 365
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s machine-learning module
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, May 27 @ 2:00 PM (ET)

Save My Spot!
That Email From President Trump? Yeah, That’s a Phishing Scam

New phishing scams impersonating President Trump and Vice President Pence are designed to install malware or be the start of an extortion scam.

Nothing beats taking advantage of a pandemic to start yet another phishing scam. This time, according to anti-phishing vendor Inky, new scams purporting to come from the White House are being seen in the wild.

At a time when most Americans have both experienced and accepted the emergency alert system that allows texts from the President to be sent to every mobile phone, seeing an email from the President or Vice President doesn’t entirely seem to far-fetched.

According to Inky, new phishing scams are using the pandemic to trick victims into clicking on malicious links. As shown in the screenshots below, emails contain “Coronavirus Guidelines for America.” Sounds important enough that some will fall for this scam.

Blog post with screenshots here. Tell your friends:
KnowBe4 Achieves Highest and Furthest Overall Position in the Gartner Security Awareness CBT Leaders' Quadrant

KnowBe4 has achieved the highest and furthest overall position as a Leader for its ability to execute and completeness of vision in the 2019 Magic Quadrant for Security Awareness Computer-Based Training. This was the third consecutive year that we were recognized as a Leader in this Report.

We believe, as the world's largest security awareness training platform and a newly minted Unicorn due to our $1 billion valuation, this placement in the Leaders’ Quadrant validates the success of our ability to carry out our mission to enable organizations and their users to make smarter security decisions using world-class training and simulated phishing to improve their security posture and mitigate risk.

Read the Security Awareness CBT report to find out what we believe sets KnowBe4 apart.

Download Your Complimentary Copy of the Report Now!
Watch out for the Coming Tsunami of Mortgage Rescue Phishing Scams

At this point in time, with 10 years of phishing attack analysis under our belt, we can predict with a high reliability level what will be showing up in the near future. We see two scams that will be extremely popular during the rest of 2020. We will cover the first one in this blog post, the other one in a few days.

With so many individuals out of work, furloughed, and having trouble keeping up with mortgage payments, I predict we’re going to see a resurgence of this scam.

We haven’t seen much by way of scams seeking to bail out distressed homeowners in a few years, as after the recession in the late 2000’s the mortgage industry has been working without issue.

But, as the mortgage industry prepares for mortgage fraud in the form of borrowers misrepresenting income, those who haven’t been able to pay their current mortgage will be susceptible to new mortgage “rescue” scams - ones that claim to be able to help fend off foreclosure, refinance anyone, and generally improve the financial situation of those with many missed payments.

My expectation of mortgage rescue scams during the rest of 2020 is that it not only seems possible, but highly probable.

And it’s not just those that are in a financial strain that may be targeted; the pandemic has led to government programs that augment unemployment, provide payroll protection to organizations, and other financial instruments that have no strings attached.

The existence of – and familiarity with – this new “norm” of government assistance is all that’s needed by cybercriminals to phish the average person with promises of a new government program designed to help them payoff their mortgage, catch up on payments, etc.

We’ve seen recent scams that impersonated government websites, so the idea of a scammer sending an email purporting to be from a department within the government and then taking the victim to an “official” website to collect personally identifiable information, credit card details, etc. is extremely plausible.

Organizations are equally at risk – with 55% of employees using employer-provided devices while working from home, using these same devices for personal needs as part of a work/life balance, the possibility for malware in all its’ forms to be successfully installed on one of these devices is also very probable, putting the organization at risk.

Individuals who are undergoing financial strain with their mortgage payments should proactively contact their lender to seek whatever remedies are available.

Organizations looking to reduce the likelihood of their users falling for these social engineering scams should offer the same advice and roll out continual Security Awareness Training to educate users about any new scams (including inoculating employees against the mortgage rescue scams before they shop up in a few months) and how to avoid becoming the scammer’s next victim.


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Is it crazy how saying sentences backwards creates sentences saying how crazy it is? :-D
Quotes of the Week
"You have power over your mind - not outside events. Realize this, and you will find strength."
- Marcus Aurelius, Roman Emperor (121 -180 AD)

"Definiteness of purpose is the starting point of all achievement."
- W. Clement Stone, Author (1902 - 2002)

Thanks for reading CyberheistNews

Security News
What? Paying the Ransom --Doubles-- the Cost of a Ransomware Attack?

Here is something totally non-intuitive. Sophos’s State of Ransomware 2020 report claims that the total cost of the average ransomware attack more than doubles if the victim decides to pay the ransom.

The Sophos-commissioned survey of 5,000 IT managers around the world found that the average total cost of a successful ransomware attack—taking into account factors such as downtime, technical recovery, extra hours, lost business, as well as the ransom payment—was $732,000 for victims that refused to pay the ransom.

BUT... that number rises to $1,448,000 for organizations that do pay the ransom.

The researchers attribute this finding to the fact that ransomware attacks are extremely costly even if the victim has backups or the convenience of a decryption key. Ransom demands often run into hundreds of thousands of dollars or more, so the ransom payment adds a large chunk of cash on top of all the other costs.

Overall, the report found that 51% of organizations experienced at least one ransomware incident last year, and 73% of these attacks led to data being encrypted. 26% of the victims paid the ransom, while 56% recovered from backups.

Additionally, the report confirms a well-documented trend in which the number of ransomware incidents has declined as threat actors spend more time launching targeted attacks. These attacks are usually far more damaging to the victim organization than untargeted attacks.

The survey also found that ransomware operators don’t discriminate based on organization size. 47% of the attacks hit organizations with less than 1,000 employees, while 54% hit larger organizations.

“What really stands out when we look at this data is that there is no single main attack vector,” the researchers conclude. “Rather, attackers are using a range of techniques and whichever defense has a weakness is how they get in. When one technique fails they move on to the next, until they find a weak spot.”

New-school security awareness training can provide your organization with an essential layer of defense by enabling your employees to make smarter security decisions.

Sophos has the story:
Why Does Someone Click and Become a Victim of a Scam?

One of the keys to thwarting social engineering attacks is knowing what makes us want to click on links or respond to emails, according to cybersecurity expert Raef Meeuwisse. In an article for Infosecurity Magazine, Meeuwisse explained that no one is immune to being scammed, and different types of scams target different sets of people.

Some scams, such as Nigerian prince schemes, are designed to target people who don’t know any better. The vast majority of people will ignore an email if it even mentions Nigerian royalty, but the scammers aren’t going after these people; they only want to fool the fraction of people who are gullible enough to actually send them money.

“There is no shying away from the fact that some scams and phishing items are constructed specifically to filter out people that may be resistant to the next step in a scam,” Meeuwisse says. “Email messages with typos, websites that are not built quite right – these are not always unintentional. Sometimes they are an effective way of ensuring that only the most susceptible potential victims progress to the next stage.”

Other scammers go to great lengths to make their attacks as convincing as possible, and many of these scams have very few visible signs that could tip off recipients. Meeuwisse says people shouldn’t assume they’ll be able to spot every scam attempt, because this mindset only helps the scammers.

“The hardest truth is that no matter how good any of us are at detecting and defeating scams, there is always a way through,” he says. “The trick (from the scammers’ perspective) is to make the scam at least as convincing (if not more so) than the legitimate actions or transactions we make every day.”

Meeuwisse adds that there are measures we can take to defeat scammers. For example, we should be on the lookout for offers that seem too good to be true and urgent-sounding emails that prompt us to take action. Knowing the techniques scammers use to push us to do what they want can drastically improve your chances of identifying social engineering attacks.

“Can I defeat every scam?” he writes. “No. Not at first, anyway. Many of the scams I get to see are so good they look more convincing than things that are not scams. However, what we can all do is to help ensure that the probability of a scam being successful is minimized and that the few scams that find some way in can never get quite as far as they hoped to.”

Meeuwisse concludes that the best way to fight scammers is through a combination of employee training, security technology, and protocols. New-school security awareness training is an essential layer of defense that can help minimize your organization’s attack surface.

Infosec Mag has the story:
KnowBe4 ModStore Release: 3 New Celebrity Pretexting Video Modules

Now live in the KnowBe4 ModStore are 3 brand-new pretexting videos featuring:
  • Phil Hendrie and Kevin Mitnick Pretexting - IT Attack
  • Phil Hendrie & Kevin Mitnick Pretexting - Credential Harvesting Attack
  • Phil Hendrie & Kevin Mitnick Pretexting - HR Macro Attack
In these fun episodes, Phil Hendrie (voice actor and radio personality) teams up with Kevin Mitnick (world-renowned security consultant, public speaker, and author) to portray social engineering attacks using pretexting.

Your no-charge preview here:
What KnowBe4 Customers Say

Here is an article in Forbes that takes a whole new approach to improving your resilience against phishing attacks!

This is a warmly recommended read by Cassio Goldschmidt:

The 10 Interesting News Items This Week
    1. Ransomware Gang Now Demands Extra Payment to Delete Stolen Files:

    2. COVID Espionage? Brit research supercomputer ARCHER's login nodes exploited in cyber-attack, admins reset passwords and SSH keys:

    3. U.S. to Accuse China of Attempts to Hack Coronavirus Research:

    4. A cybercrime store is selling access to more than 43,000 hacked servers:

    5. Hackers target the air-gapped networks of the Taiwanese and Philippine military:

    6. Feds Reveal Hidden Cobra’s Trove of Espionage Tools:

    7. US Cert Alert AA20-1331. Scroll down to Vulnerabilities exploited in 2020, last sentence:

    8. Washington, D.C. Adds Security Requirements in New Data Breach Notification Law effective on May 19, 2020:

    9. Hackers' private chats leaked in stolen WeLeakData database:

    10. Coronavirus-related cyberattacks are like a kicked 'hornet's nest':
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews