CyberheistNews Vol 10 #33 [Heads Up] Explosion of Zoom Meeting Phishing Attacks Targeting O365 and Outlook

CyberheistNews Vol 10 #33
[Heads Up] Explosion of Zoom Meeting Phishing Attacks Targeting O365 and Outlook

Researchers at INKY have observed an explosion of Zoom-themed phishing attacks over the Spring and Summer of 2020. Most of the attacks are aimed at stealing credentials to services like Outlook and Office 365 by directing users to spoofed login pages.

The researchers say they’ve observed the emails being sent from legitimate, compromised accounts as well as convincing spoofed domains. “At INKY, most of the Zoom impersonator phishing emails we have seen came from hijacked accounts, but we also saw newly created domain names like zoomcommuncations[.]com and zoomvideoconfrence[.]com,” they write.

“As disturbing as that is, it’s also what makes these fake meeting invitations so easy to fall for and so difficult for traditional Secure Email Gateways (SEGs) to catch.”

Additionally, the attackers are using obfuscation and other techniques that make it more difficult for security systems to detect their phishing pages. “If the hacker includes a fake attachment, it leads to a fake login page that’s locally hosted on the recipient’s computer, not the internet,” the researchers write.

“To make matters worse, the HTML, JavaScript, and PHP code is usually encoded so it’s unreadable to humans and automated security tools. It’s a clever way to remain undetectable and evade URL reputation checkers. Similarly, if the hacker includes a malicious link, these redirect to a fake login that’s hosted on a compromised server or a hosting service the attacker paid for.”

INKY provides a number of screenshots of some of the spoofed websites, and they appear identical to the legitimate login portals for Outlook and Office 365. In the Outlook example, the site’s URL was “owa-mail-auth[.]web[.]app,” which could fool even someone who had been trained to scrutinize URLs.

Attackers are constantly taking steps to improve the reach and effectiveness of their phishing campaigns. New-school security awareness training enables your employees to avoid falling for these attacks, even if the phishing sites appear perfectly convincing.

Blog Post with links:
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, August 12 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a first look at new features and see how easy it is to train and phish your users:
  • NEW! AI Recommended training suggestions based on your users’ phishing security test results.
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
  • Train your users with access to the world's largest library of 1000+ pieces of awareness training content.
  • Send fully automated simulated phishing attacks, including thousands of customizable templates with unlimited usage.
  • Assessments allows you to find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 33,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, August 12 @ 2:00 pm (ET)

Save My Spot!
The Scariest Things We Saw at Black Hat 2020

Our longtime friend Neil Rubenking wrote: "The ongoing COVID-19 pandemic in the US knocked a lot of security conferences offline—or rather, it knocked them to online-only. This year, both Black Hat and DEF CON (along with HOPE 2020 and others) used live and prerecorded video coupled with chat platforms.

It worked out surprisingly well and could be a pattern for other gatherings to follow. That said, the experience lacked the fun of an in-person event, and it's hard to make time for a video session when you also have to walk the dog. Hopefully, 2021 will be a kinder year for everyone. Here are the scariest things we saw at Black Hat 2020."

And of course if you registered for Black Hat you can also see the KnowBe4 sessions we had there now On Demand:
Top CISOs Say Security Awareness Training for Employees Is Top Priority

Steve Morgan at Cybercrime Magazine said: "Training employees how to recognize and defend against cyberattacks has long been the most underspent sector of the cybersecurity industry. But we’re in the midst of a sea change that is predicted to result in a $10 billion market by 2027.

Progressive CISOs at the largest companies in the U.S. are pushing hard for more employee security awareness training and phishing simulation programs. Nine of them opened up to Cybercrime Magazine on humans being the weak link in the cyber defense chain, and the need to build a security-aware culture.

“Security leaders, in general, know that the human side of things is critical to consider when it comes to the overall security posture of their company,” says Perry Carpenter, chief evangelist and strategy officer at KnowBe4.

But shockingly, not every Fortune 500 and Global 2000 company has a full-time security awareness training manager, according to Carpenter. For some organizations, the responsibilities fall on the shoulders of security personnel who are burdened with other tasks. While we’re not yet in an ideal place, Carpenter says that large enterprises are definitely moving in the right direction."

Check out what CISOs at State Street, Mastercard, Northwell Health, Standard Industries, Microsoft, Delta Airlines, IBM, S&P Global and HP have to say about it:
See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us TOMORROW, Wednesday, August 12 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a first look at brand new compliance management features we’ve added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
  • NEW! Assign additional users as approving managers to review task evidence before a task is closed with tiered-level approvals.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: TOMORROW, Wednesday, August 12 @ 1:00 PM (ET)

Save My Spot!
BOOK OF THE WEEK: "Messing With the Enemy"

I am thoroughly enjoying "Messing with the Enemy: Surviving in a Social Media World of Hackers, Terrorists, Russians, and Fake News" written by Clint Watts. He is an extremely skilled (and funny) social engineer. The book has tons of examples. Here is the Amazon blurb and it's a Stu's Warmly Recommended.

"A former FBI Special Agent and leading cyber-security expert offers a devastating and essential look at the misinformation campaigns, fake news, and electronic espionage operations that have become the cutting edge of modern warfare—and how we can protect ourselves and our country against them."

Here is the link to Amazon Kindle (note we are not an Amazon affiliate):

And here are two recent examples of the disinformation campaigns out there in the wild that are used for clickbait:
The Best Ways to Stop Malware and Ransomware That No One Else Will Tell You

With malware attacks on the rise, making sure you keep your organization safe from a costly breach is a top priority. The two best things you can do to stop malware and ransomware attacks are to figure out how malware is getting by your defenses and for how long. Your current antivirus vendor isn’t going to tell you the answers to either of these. But Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, will.

Join Roger on Wednesday, August 19th at 2:00 PM (ET) as he dives into the best ways to stop malware dead in its tracks using real-life methods no one else is talking about.

He’ll show you:
  • The two best questions to ask to prevent malware and ransomware
  • The most common ways malware gets around your defenses
  • A live malware demonstration and how you can prevent it immediately
  • Step-by-step action plans you can start implement now
  • How to enable your end users to become your best, last line of defense
Stop playing reactive defense. Go on the offensive! Use your existing data to craft a better malware defense today.

Date/Time: Wednesday, August 19 @ 2:00 PM (ET)

Save My Spot!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Don't find fault, find a remedy."
- Henry Ford, Industrialist (1863 - 1947)

"Don't ever become a pessimist... a pessimist is correct oftener than an optimist, but an optimist has more fun, and neither can stop the march of events."
- Robert A. Heinlein, Sci-Fi Writer (1907 - 1988)

Thanks for reading CyberheistNews

Security News
Social Engineering on the Dead Tree Platform

Scammers are using snail mail to draw people into scams more commonly associated with Nigerian 419 scam emails, Graham Cluley reports. Cluley presents a letter that one of his readers received in the mail, which was customized to contain the name of the person it was addressed to.

“My name is Wai Fei, and I write today to discuss the unclaimed inheritance of 11 million USD,” the letter says. “At this point, I must ask that you deal with this matter with highest discretion, as the content of this letter is not trivial.

I am sending this letter with confidential internet local auto-mailer service. In 2004, a person with whom you share common name; Mr [name redacted] invested funds with the Hong Kong investment house I work with. During the time, we spread the funds across diverse local opportunities to make significant returns.”

The letter then explains that the recipient stands to make $11 million (or $5.5 million, if they plan on upholding their end of the bargain).

“In 2005, he instructed that the initial sum ($11m) be liquidated for a cash investment in Beijing,” it says. “For this we contacted the mainland Shengjing Bank, to convey the money for a cash delivery. Only last year, the Shengjing Bank disclosed that the money remains unclaimed. Upon investigations, we discovered that Mr [name redacted] died in Jiangxi shortly after transfer was made.

Graham Cluley has the story:
Focus on the Underlying Behavior

Identifying malicious behavior is a more effective long-term strategy than trying to block individual malicious actors, according to Johnathan Hunt, Vice President of Security at GitLab. On the CyberWire’s Hacking Humans podcast, Hunt used the example of trying to stamp out malicious activity, particularly cryptojacking, that cropped up in GitLab code repositories.

“For probably several years in my career, I noticed that the operational team that would lead would attack the bad actors, whether it was through trying to block IP addresses, whether it was just trying to block the specific activity that they were trying to do or exploit, the scans they were running,” Hunt said. “And then we would continue to see the same behavior over and over – whether it came from different IP addresses, whether it seemed to come from different types of profiles, whether it came from different areas within the service itself or the application itself.

You're not going to win playing defense

And we quickly realized that that's a losing battle. Like, you're not going to win playing defense.” Hunt said he realized that this strategy was ineffective, so he switched to looking at the behavior itself.

“And so it was at that time my philosophy had changed to, we should ignore the person, and we should go after the behavior,” he said. “We should go after the activity. We should be looking at what it is that they're trying to do, what - the control they're trying to circumvent, the types of attacks that they're using, the areas of the application that they're looking to expose.

And how can we address the problem? How can we get to the root of the problem and address that behavior within the product or service that we're offering?”

Hunt’s organization then created tools that could automatically detect and block cryptomining activity based on its underlying characteristics, rather than manually hunting down every user who abused the platform. Hunt also noted that focusing on behavior can help organizations defend against accidental or unexpected adverse events.

“And I also want to point out that it doesn't have to be malicious activity from the outside, although that's probably what you would think of first, right?” he said. “Mice are nuisances, right? So yes, we did have nuisances within our service.

We did have a nuisance from external forces interacting with our service, trying to exploit our platform, trying to compromise our services or customers. But it could also be internal behaviors that we're looking at, right? It doesn't always have to be malicious. It could be unintentional bad behavior that originates from employees, from the way we build services to the way that we code the platform or the application itself.”

One crucial area in which organizations can focus on defending against behavior is user education. New-school security awareness training can keep your employees up-to-date on current phishing trends, but more importantly, it can educate them about fundamental social engineering tactics so they can thwart new or unfamiliar attacks.

The CyberWire has the story:
What KnowBe4 Customers Say

"Shannon, trust me when I say, we will NEVER be without KB4 again. Just yesterday one of my senior attorneys said she was in a webinar where they were discussing how Twitter was recently hacked and how they culprits got in, and she yelled, “I know all about this! I’ve learned about don’t pick up strange USB’s, don’t let strange people in the office to walk around, don’t click Willy Nilly on anything I’m not expecting!”

She said that it’s a kudos to me for protecting our firm and forcing everyone to learn. So BIG HUGE thank you to you guys over at KB4 for creating this and making it easy for me to deploy and teach. Feel free to copy and paste this and send it out to your entire company. You CAN teach an old seasoned dog professional new tricks."
- S.S., Manager Information Technology

"Hi Stu, What an amazing company you have. First off, you have an excellent product. At first, I thought the staff would reject it and find it invasive to their workday. I'm finding just the opposite. People are more than happy to learn new ways to protect themselves and our network from the "bad guys".

Second, you have amazing employees. Everyone that has helped me with this client as well as another client that I have, always are friendly, informative, and helpful. They are patient beyond belief. And now I received the book "A Data-Driven Computer Security Defense" in the mail today. I haven't even started reading it yet but I'm excited to.

Thank you so much for sending it. As with all your emails that you send, this will be another tool to help me protect the network and its data. Thank you very much!!! In my eyes, you are doing everything right."
- S.E., Contracted IT Support
The 11 Interesting News Items This Week
    1. How to Survive a Ransomware Attack Without Paying the Ransom. Norsk Hydro Case Study at Bloomberg:

    2. Here is an example of quite surprising Ransomware customer service:

    3. 10 tips for cybersecurity awareness programs in uncertain times:

    4. Less Than Half of Security Pros Can Identify Their Organization's Level of Risk:

    5. Pen Testers Who Got Arrested Doing Their Jobs Tell All:

    6. Tech workforce in defense and aerospace targeted in latest phishing attack:

    7. Hackers Dump 20GB of Intel’s Confidential Data Online:

    8. Interpol warns of 'alarming rate' of cyberattacks amid pandemic:

    9. Ransomware: The tricks used by WastedLocker to make it one of the most dangerous cyber threats:

    10. DHS Urges 'Highest Priority' Attention on Old Chinese Malware Threat:

    11. BONUS An article in Entrepreneur by yours truly: "Why Active Listening Is a Critical Skill for Founders and Entrepreneurs" (and any professional really):
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews