CyberheistNews Vol 10 #32 [Heads Up] Voicemail-Themed Phishing Attacks Are on the Rise

CyberheistNews Vol 10 #32
[Heads Up] Voicemail-Themed Phishing Attacks Are on the Rise

Researchers at Zscaler warn of an increase in voicemail-themed phishing campaigns designed to steal credentials for enterprise applications. The emails purport to be automatically generated notifications from enterprise applications, like Office 365 and Outlook, informing recipients that they’ve received a voicemail from a caller.

The messages include an HTML attachment that will redirect the user to the phishing site, where they’ll be asked to enter their credentials in order to log in and hear the message.

Interestingly, Zscaler found that one of these campaigns used Google’s reCAPTCHA to prevent web crawlers from accessing the site and flagging the site as malicious.

The researchers also observed a campaign that spoofed Cisco’s Unity Connection voicemail portal using the domain “secure[.]ciscovoicemail[.]cf.“ When the user clicks to listen to their voicemail, they’ll be taken to a page that asks them to select their email provider from a list of options: Office 365, Mimecast, Outlook, Gmail, Yahoo, and “Others.”

Clicking on any of these options would take the user to a phishing page that spoofed the login page of the service they selected. Choosing “Others” would present the user with a generic login portal.

Zscaler concludes that users should follow security best practices in order to avoid falling for these attacks. “This threat actor leverages well-crafted social engineering techniques and combines them with evasion tactics designed to bypass automated URL analysis solutions to achieve better success in reaching users and stealing their credentials,” the researchers write.

“As an extra precaution, users should not open attachments in emails sent from untrusted or unknown sources. As a best practice, in general, users should verify the URL in the address bar of the browser before entering any credentials.”

It’s also worth noting that voicemail-themed phishing campaigns aren’t new, but the fact that they’re growing more common means this tactic is still effective. If a user knows that attackers frequently use fake voicemail notifications as phishbait, they can recognize these attacks immediately.

New-school security awareness training can help your employees stay up to date with evolving phishing trends, as well as reminding them about the fundamentals of social engineering.
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, August 12 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a first look at new features and see how easy it is to train and phish your users:
  • NEW! AI Recommended training suggestions based on your users’ phishing security test results.
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
  • Train your users with access to the world's largest library of 1000+ pieces of awareness training content.
  • Send fully automated simulated phishing attacks, including thousands of customizable templates with unlimited usage.
  • Assessments allows you to find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 33,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, August 12 @ 2:00 pm (ET)

Save My Spot!
[Wake-Up Call] New Study From PwC Exposes Terrifying End-User Security Practices That Will Keep Your CISO up at Night

By Perry Carpenter, KnowBe4 Chief Evangelist & Strategy Officer

"I just finished reading PwC’s latest Workforce Pulse Study – and you should be scared. This study of more than 1,100 American workers provides an in-depth look at the cybersecurity-related awareness levels and behavior patterns of American workers.

COVID-19 Highlights the Cracks of Old-School Security Awareness Approaches:

A typical mantra uttered by most security leaders is security is everyone’s responsibility. Unfortunately, the PwC study shows that this message isn’t being taken to heart—a shocking 75% of survey respondents seemed to live in blissful ignorance of the difficulties and limitations their employers face in securing employee personal information. And these workers are likely also oblivious that their personal data is of interest to cybercriminals.

That lack of employee personal responsibility and investment in cybersecurity, is what makes this next set of findings so worrisome. Here’s the quote that really got me (emphasis is mine):

“Nearly 70% of CISOs and CIOs say they increased security training as a result of COVID-19. In contrast, only 30% of employees say their employer offered training on the dos and don'ts of protecting company and personal digital assets, data and information.

Less than a third say their employer provided devices so they could work outside the office without having to use their personal devices. And only 23% say their firm provided a compelling case for why employees need to have good data security habits.”

What We’ve Got Here is Failure to Communicate

See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, August 12 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a first look at brand new compliance management features we’ve added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
  • NEW! Assign additional users as approving managers to review task evidence before a task is closed with tiered-level approvals.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Wednesday, August 12 @ 1:00 PM (ET)

Save My Spot!
Vanity, Thy URL Is Zoom

Zoom has fixed a security flaw that could have allowed attackers to launch hard-to-spot phishing attacks using the platform, according to researchers at Check Point who discovered and disclosed the flaw.

The issue involved Zoom’s “vanity URL” feature that allows organizations to create custom meeting invitation links, which often include the organization’s name.

“Prior to Zoom’s fix, an attacker could have attempted to impersonate an organization’s Vanity URL link and send invitations which appeared to be legitimate to trick a victim,” Check Point explains. “In addition, the attacker could have directed the victim to a sub-domain dedicated website, where the victim entered the relevant meeting ID and would not be made aware that the invitation did not come from the legitimate organization.”

The researchers stress that this would have made it fairly easy for attackers to construct convincing phishing links.

“Upon setting up a meeting, an attacker could change the invitation link URL to include any registered sub-domain,” the researchers write. “For instance, if the original invitation link was https://zoom[.]us/j/7470812100, the attacker could change it to https://<organization’s name="">[.]zoom[.]us/j/7470812100.

A victim receiving such an invitation would have had no way of knowing the invitation did not actually come from the actual organization. In addition, the attacker could also change the link from /j/ to /s/: https://<organization’s name="">[.]zoom[.]us/s/7470812100.

Given there are cases of organization’s logos appearing when entering such a URL, this could have added an additional layer of deception. Also, clicking on the ‘Sign in to Start’ button, would often lead the victim to the organization’s legitimate portal.”

The researchers conclude with examples of how this flaw could have been abused in the real world.

Stop by the KnowBe4 Booth at Black Hat USA 2020!

Are you attending (the 100% virtual) Black Hat USA 2020 this week? Be sure to stop by the KnowBe4 booth August 5-6th to find out how to secure your last line of defense: USERS.

Check out all of the exciting activities we have planned!

We have several speaking sessions throughout the conference including an eye-opening session with Kevin Mitnick, KnowBe4's Chief Hacking Officer.

You can learn about phishing forensics and how to become your own digital private investigator with Roger Grimes, KnowBe4's Data-Driven Defense Evangelist.

Plus, see how you can enter for a chance to win great prizes including a Stormtrooper prop replica helmet!

Get all the details you need to know at
Whoa Nellie! Full AI-Driven Phishing Attacks Are Around the Corner

I just discovered the latest version of the OpenAI GPT-3 and this thing is scary good. You can give it a prompt and it will continue the story that it thinks will plausibly follow. You can get it to write press releases, stories, interviews and even technical manuals. DANG this thing is good.

Instead of rehashing the blog post that Arram Sabeti wrote, I'm just giving you the link with his examples. This is fascinating stuff and you can extrapolate the consequences for yourself:

Here is the link to the OpenAPI API where you can request access and experiment with it:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"The spirit is the true self. The spirit, the will to win, and the will to excel are the things that endure."
- Marcus Tullius Cicero, Roman Statesman (106 BC- 43 BC)

"Be who you are and say what you feel because those who mind don't matter, and those who matter don't mind."
- Dr. Seuss :-D

Thanks for reading CyberheistNews

Security News
Social Engineering From an Actuarial Point of View

Employees need to maintain their security habits while working from home, emphasizes Scott Godes, a partner at Barnes & Thornburg. On the CyberWire’s Caveat podcast, Godes explained that cybercrime has continued as usual throughout the pandemic, but business processes have shifted dramatically.

“It's largely more of what we have been seeing. And what I mean by that is ransomware has continued,” he said. “Business email compromises continue. And I see more phishing attempts on a daily basis than I had ever seen before.

And so criminals, apparently, are not going away. Efforts to compromise systems aren't going away....And so from that perspective, it's more, unfortunately, of the same.”

He added that social engineering attacks, such as business email compromise (BEC), may be harder to thwart when employees aren’t working in the same building. “And so there are stories where – apocryphal stories and real stories – for example, in the context of a business email compromise where when I've talked about this, people say, oh, sure, we almost had that happen,” he explained.

“We received a message saying, please wire the following amounts to this location. And just before it happened or just after it happened, I ran into this person in the hallway and said, oh, by the way, I've got your – I sent your wire or I'm about to send your wire, just FYI. And in the hallway, the person says, what are you talking about?

I didn't ask for you to wire anything or do anything like that. And they manage to catch it. Well, if you're not in the office and you're not going to see people in person, you don't have that same opportunity to correct for that. That's just one example of how things are not able to correct it.”

Additionally, Godes said that as people become accustomed to remote work, they may grow laxer about verifying requests they receive by phone or email.

“Or if you're used to doing things by phone, ‘cause that's how we're operating, then – or by email, rather than by phone, because that's how things are operating, then the mindset of following up with someone to say, well, I need to see you in person, or, I need to get a phone call, is not the same,” Godes said.

“And there's going to be much more reliance on emails and other electronic communications to get things done so that the perspective of and the viewpoint of, well, you shouldn't click on email, you shouldn't do things by email – that's how the world is operating these days.”

New-school security awareness training can help your employees adapt to changing circumstances by instilling in them a healthy sense of suspicion that can enable them to prevent social engineering attacks, no matter where they are.

The CyberWire has the story:
Are Account Takeovers Driving Toward a Passwordless Future?

By Javvad Malik, KnowBe4 Security Awareness Advocate

"The bad guys will try to take over accounts all the time. Logging onto someone's account with their credentials is usually a whole lot easier than trying to compromise the website directly. Here's a short video I made on the topic.

Ultimately, when we're talking about account takeover, the underlying problem is actually all about password management.

Here’s a quick visual of some of the account takeover techniques covered is in this pyramid. It's in a pyramid as opposed to putting it in a list because when you put lists into a shape, it gives the impression that there is far deeper meaning to the work.

CONTINUED, including links to Video:
NEW FEATURE! Recommended Training Powered by Machine Learning

This new feature offers you as an admin informed training suggestions based on the simulated phishing test results of your users. Personalized to your overall organization, training modules are presented in your KnowBe4 ModStore training library that you can select to add to your training campaigns to help reduce your users’ click rates over time.

Here is your Fresh Content and New Features Update:
What KnowBe4 Customers Say

This is the story of an end-user.

"Good Morning! This is a big Thank You. I have always thought that the tests and reminders from KnowBe4 were simply a pain in……. But because of the training it saved me from making a huge mistake.

I received a personal email, that was supposedly form Amazon, about my purchase of a Microsoft Pro tablet and that is was going to be mailed to some address in the south. I needed to click the link if this was not a purchase I had made.

I panicked thinking that someone hacked my Amazon account. Then I quickly thought check the email address and sure enough it was not an amazon email. As a double check I went to Amazon and checked my orders/purchases. No tablet there…

Again, Thank you for making us use this tool. Have a great day!"

"I just wanted you to know that working with you, Mike and Jackson has been the best experience I have every had with a tech company. Your quick response to inquiries, proactive follow ups and knowledge of the products you sell far reached my expectations. Thank you and looking forward to new products KnowBe44 will be releasing."
- X.D., Director of Infrastructure
The 11 Interesting News Items This Week
    1. US Senate approves amendment to bolster cybersecurity in FY 2021 NDAA:

    2. 20,000+ new vulnerability reports predicted for 2020, shattering previous records:

    3. The Impact of the COVID-19 Pandemic on Remote Work, 2020 IT Spending, and Future Tech Strategies:

    4. Lazarus Group Brings APT Tactics to Ransomware:

    5. Which workers are your biggest security nightmare? It might not be the people you expect:

    6. Listen to This (V1.0) Deepfake Audio Impersonating a CEO in Brazen Fraud Attempt:

    7. Business ID Theft Soars Amid COVID Closures:

    8. Kaspersky: North Korean hackers are behind the VHD ransomware:

    9. Ransomware: How clicking on one email left a whole business in big trouble:

    10. New bug in PC/Server booting process impacts billions of devices, could take years to fix and is ransomware threat:

    11. BONUS: Hackers Broke Into Real News Sites to Plant Fake Stories:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews