CyberheistNews Vol 10 #34 My Lazy Sunday Afternoon Was Interrupted...




CyberheistNews Vol 10 #34
My Lazy Sunday Afternoon Was Interrupted...

My lazy Sunday afternoon was interrupted with what appeared to be a prank, a social engineering attempt, or something else that remains to be identified.

Apparently, someone took it upon themselves to create a lookalike domain of another training company and route traffic from that lookalike domain to our website.

Even though ICANN has options to keep domain ownership anonymous, we still decided to immediately investigate. We continue to be in conversations with the other training company in hopes to identify the root cause.

Being the market leader for security awareness training and simulated phishing, we know to expect pranks and attempts to hack, so it comes as no great surprise. We do not condone this type of activity because it goes against our culture; we pride ourselves on our radical transparency with our staff, our customers, our partners, and the InfoSec community.

At the time of this writing, we don't know who created the typo-squatter domain, and we are taking measures to investigate. With security awareness top of mind, everybody wins.

Here is the LinkedIn post from our colleague:
https://www.linkedin.com/feed/update/urn:li:activity:6699665978214752256/
The Best Ways to Stop Malware and Ransomware That No One Else Will Tell You

With malware attacks on the rise, making sure you keep your organization safe from a costly breach is a top priority. The two best things you can do to stop malware and ransomware attacks are to figure out how malware is getting by your defenses and for how long. Your current antivirus vendor isn’t going to tell you the answers to either of these. But Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, will.

Join Roger TOMORROW, Wednesday, August 19 @ 2:00 PM (ET) as he dives into the best ways to stop malware dead in its tracks using real-life methods no one else is talking about.

He’ll show you:
  • The two best questions to ask to prevent malware and ransomware
  • The most common ways malware gets around your defenses
  • A live malware demonstration and how you can prevent it immediately
  • Step-by-step action plans you can start implementing now
  • How to enable your end users to become your best, last line of defense
Stop playing reactive defense. Go on the offensive! Use your existing data to craft a better malware defense today.

Date/Time: TOMORROW, Wednesday, August 19 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2565530/8BE140382E584C38A8E0C6B83F8A608F?partnerref=CHN2
The Phishing Golden Hour

Roger Grimes wrote: "In emergency healthcare settings, the “golden hour” is the time between when a patient suffering a life-threatening event (e.g., heart attack, stroke, aneurysm, etc.) is most likely to recover with the best possible outcome if treated within a certain period of time by the appropriate therapies.

Healthcare workers wishing to best help the most people are taught they need to quickly diagnose the right illness or injury and begin the right healing therapies. Every minute of delay further risks a patient’s positive outcome.

Cybersecurity researchers have applied the same idea to phishing attacks in their recent whitepaper entitled, Sunrise to Sunset: Analyzing the End-to-End Life Cycle and Effectiveness of Phishing Attacks at Scale. Looking at the behavior of 4.8 million successful phishing attack victims who got tricked into visiting over 400,000 unique phishing URLs, they gleaned some interesting facts.

This revealing post is too long for this newsletter and continued here:
https://blog.knowbe4.com/phishing-golden-hour
[NEW PhishER Feature] Remove, Inoculate, and Protect Against Email Threats Faster With PhishRIP

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft Office 365 to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.

Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.

Now you can with PhishER, which is the key ingredient of an essential security workstream. PhishER allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us for a 30-minute demonstration of the PhishER platform. With PhishER you can:
  • NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft Office 365
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s machine-learning module
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, August 26 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2561579/38E65FD70E2BCFD7BF17BB8D1818FA28?partnerref=CHN1
COVID-Themed Phishing Scams Are on Their Way Out

The latest data on COVID-related phishing scams from security researchers at CheckPoint comes with some good news and insightful trends that may help keep you secure.

We’ve seen just about every kind of COVID-related phishing scam over the last 5 months. From maps of the virus spread, to tracing apps, to class action lawsuits, to getting a tax rebate, and more – there seemed to be no end to the creativity of these scammers who find yet another way to use COVID as the draw to get potential victims to engage with malicious email content.

According to CheckPoint, the good news is COVID-themed scams are on the decline – July saw a 50% decrease in the number of coronavirus-related attacks from the previous month. CheckPoint did find vaccine-related email scams that take advantage of the world’s race to find a vaccine.

The bad news is CheckPoint is still seeing a rise in all cyberattacks (including COVID attacks) which, according to their latest data, begin with a malicious phishing email 80% of the time. Executables, Excel documents, and Word documents are the top three attachment types found in phishing scams.

While we’re happy to see COVID-themed phishing emails go away sometime soon, there is no end in sight for the art of phishing. COVID merely played a viable long-term overarching theme for a wide range of scams. When COVID no longer gets people’s attention and engagement, cybercriminals will turn to a new angle and story that will.

It’s important to have users understand the need for vigilance when interacting with email. Security awareness training provides users with ongoing education, teaching them what a suspicious or malicious email looks like, what kinds of tactics and social engineering are used, and ways to avoid becoming a victim of a scam – COVID or otherwise.

Blog Post:
https://blog.knowbe4.com/covid-themed-phishing-scams-are-on-their-way-out-while-some-scammers-use-a-vaccine-as-a-last-ditch-effort
Phishing Summit - Mitigation, Forensics and Eye-opening Phishing Research

Looks like things are getting crazier by the month, right? The recent Twitter attack shows that all organizations are susceptible to social engineering attacks. Unfortunately, very few untrained users can spot phishing and social engineering attacks. The sobering fact is that social engineering attacks are not going away anytime soon. Your organization is being targeted so you must arm yourself with up-to-date knowledge and skills now.

Join our Virtual Phishing Summit now where you'll learn about all things phishing. From mitigation strategies, to forensic techniques, and eye-opening phishing research showing the risk of human error.

Get access to:
  • Your Ultimate Guide to Phishing Mitigation, featuring Roger Grimes
  • Cyber CSI: Learn How to Forensically Examine Phishing Emails to Better Protect Your Organization Today, featuring Roger Grimes
  • New 2020 Phishing by Industry Benchmarking Report, featuring Perry Carpenter
  • KnowBe4's Quarterly Phishing Report
  • 22 Red Flags your users need to know about
  • And earn CPE credit for attending!
Get Access Now!
https://gateway.on24.com/wcc/eh/1815783/phishing-summit?partnerref=CHN1

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Carl Baron, CISO of UK's SIG tells reporters of IntelligentCISO how KnowBe4's platform decreased his risk of phishing attacks from 32% to 7%:
https://www.intelligentciso.com/2020/08/10/knowbe4-decreases-risk-of-phishing-attacks-from-32-to-7-at-sig/



Quotes of the Week
"Your living is determined not so much by what life brings to you as by the attitude you bring to life; not so much by what happens to you as by the way your mind looks at what happens."
- Khalil Gibran, Poet (1883-1931)



"To know what people really think, pay regard to what they do, rather than what they say."
- George Santayana, Philosopher (1863 - 1952)



Thanks for reading CyberheistNews

Security News
Operation Dream Job: More From North Korea's Lazarus Group

Researchers at ClearSky have been tracking a North Korean cyberespionage campaign that’s been targeting employees at defense contractors since the beginning of 2020. The campaign is attributed to North Korea’s Lazarus Group, and involves the group’s familiar tactic of baiting targets on LinkedIn with attractive job offers. As a result, ClearSky has dubbed the campaign “Operation Dream Job.”

“This campaign has been active since the beginning of the year and it succeeded, in our assessment, to infect several dozens of companies and organizations in Israel and globally,” ClearSky says. “Its main targets include defense, governmental companies, and specific employees of those companies.

We assess this to be this year’s main offensive campaign by the Lazarus group, and it embodies the sum of the group’s accumulative knowledge on infiltration to companies and organizations around the globe. In our estimation, the group operates dozens of researchers and intelligence personnel to maintain the campaign globally.”

The attackers created detailed LinkedIn accounts posing as recruiters, and in some cases they took the content from real recruiters’ profiles and created accounts that were direct copies. Additionally, since the social environment on LinkedIn encourages users to connect with people they hardly know (or don’t know at all), the attackers were able to increase the impression of legitimacy by connecting with real people, some of whom were mutual contacts with the targets.

“The infection and infiltration of target systems had been carried out through a widespread and sophisticated social engineering campaign, which included: reconnaissance, creation of fictitious LinkedIn profiles, sending emails to the targets’ personal addresses, and conducting a continuous dialogue with the target – directly on the phone, and over WhatsApp,” ClearSky explains.

“Upon infection, the attackers collected intelligence regarding the company’s activity, and also its financial affairs, probably in order to try and steal some money from it. The double scenario of espionage and money theft is unique to North Korea, which operates intelligence units that steal both information and money for their country.”

While North Korean cyber operators have used these same tactics on LinkedIn for years, ClearSky notes that the pandemic has made their job easier. “In recent months, and especially since the beginning of the COVID-19 pandemic, there was an uptick in the will of employees to join big, stable working places with better conditions (a ‘dream job’),” the researchers write.

“This tendency characterizes periods of crisis and adds to the attackers’ ability to ‘press on sensitive spots’ of their targets and persuade them to continue with the infection. Working remotely is another important component of the attackers’ ability to impersonate persons that the targets have never met, because many business connections are virtual now.”

Still, the researchers conclude that users can thwart these attacks if they know what to watch out for.

“However, such social engineering tactics also have their deficiencies,” they write. “For the attack to succeed, the attacker is almost completely dependent on the target and its cooperation. The attacker needs to employ sophisticated manipulations of deception and persuasion, because any little suspicion may lead to [failure] and wasted means.”

ClearSky has the story:
https://www.clearskysec.com/operation-dream-job/
Legitimate Accounts for Illegitimate BEC

Cybercriminals frequently use email accounts from legitimate services like Gmail to carry out business email compromise (BEC) attacks, Help Net Security reports. Researchers at Barracuda revealed in their latest threat report that 6,170 accounts from legitimate services were used to launch more than 100,000 BEC attacks against 6,600 organizations.

These attacks have made up 45% of all BEC attacks detected by Barracuda since April 1st. Gmail was by far the most popular of the services abused in these attacks, making up 59% of the malicious accounts. Yahoo was a distant second at 6%.

Attackers use these accounts to impersonate real employees or business partners in order to manipulate an organization into transferring money or granting some kind of access to the attacker. Since the emails are coming from trusted domains, they’re more likely to pass through email security filters.

The researchers also found that cybercriminals often use the same accounts to attack multiple organizations. In one case, the same email address was used to attack 256 organizations. They also send an average of nineteen emails from each account.

Barracuda’s Vice President of Email Protection Michael Flouton concluded that organizations need to implement a combination of security technologies and employee training in order to achieve defense-in-depth.

“The fact that email services such as Gmail are free to set up, just about anyone can create a potentially malicious account for the purpose of a BEC attack,” Flouton said. “Securing oneself against this threat requires organizations to take protection matters into their own hands – this requires them to invest in sophisticated email security that leverages artificial intelligence to identify unusual senders and requests.

However, no security software will ever be 100% effective, particularly when the sender appears to be using a perfectly legitimate email domain. Thus, employee training and education is essential, and workers should be made aware of how to manually spot, flag, and block any potentially malicious content.”

New-school security awareness training can give your organization an essential layer of defense by enabling your employees to recognize phishing tactics.

Help Net Security has the story:
https://www.helpnetsecurity.com/2020/08/10/6600-organizations-bombarded-with-100000-bec-attacks/
Dark Patterns and the Craft of Online Persuasion

People should learn how to spot the tactics companies (and, more importantly, criminals) use to persuade customers (or marks), especially when those tactics are used deceitfully, according to Eric Ravenscraft at WIRED.

Ravenscraft describes various ways user experience (UX) design can be used to manipulate people. “The term ‘dark patterns’ was first coined by UX specialist Harry Brignull to describe the ways in which software can subtly trick users into doing things they didn’t mean to do, or discouraging behavior that’s bad for the company,” Ravenscraft explains.

“When you want to unsubscribe from a mailing list, but the ‘Unsubscribe’ button is tiny, low-contrast, and buried in paragraphs of text at the bottom of an email, it’s a strong sign the company is putting up subtle roadblocks between you and cancellation.”

Ravenscraft notes that these tactics aren’t always intentional, but they can still influence a user into doing something they don’t want to do.

“Not all dark patterns are designed maliciously, and some UX designers might not even be aware that they’ve built a system that’s tricking users,” he writes. “In many cases, designers might just be doing what works. But being cognizant of how app design plays on human biases is key to avoid falling victim to dark patterns.”

Sometimes, however, companies do use these patterns unscrupulously (though not necessarily illegally). “The trouble comes when the company that makes an app or site has different priorities than the person using it,” Ravenscraft writes. “For example, when you sign up for a monthly subscription service, most companies will make that process easy.

However, if you want to cancel, the company might put a couple of speed bumps in the way to discourage you. Sometimes this can be subtle, like making the ‘Never mind, I’d like to stay’ button bright and colorful while making the ‘Yes, I really want to cancel, let’s get on with it’ button more subtle.”

Ravenscraft concludes that education is the best defense against these tactics. He quotes UX designer Harry Brignull as saying, “If you know what cognitive biases are and the kind of tricks that can be used to change your mind to persuade you to do things, then you're less likely to have them trick you.”

There’s nothing wrong with persuasion, but it’s always good to understand how it works when you’re on the receiving end. New-school security awareness training can enable your employees to recognize when they’re being manipulated, whether it’s by harmless marketing tactics, underhanded business ploys, or malicious phishing tricks.

WIRED has the story:
https://www.wired.com/story/how-to-spot-avoid-dark-patterns/
What KnowBe4 Customers Say

"Hi Stu, thanks for reaching out; the product is really great. The ASAP tool really makes getting things setup easy. I'm about to kick off our monthly phishing campaigns, so we'll see how much of the initial training took with our staff.

I think a few of my colleagues at other sports clubs have signed up for the service since we brought it on, so I hope they're seeing as much success. PS: I'm a huge CyberWire fan which is where I was first introduced to KB4. I appreciate you all supporting them."
- A.F., VP Administration

"I think the product is great value and your team have been very supportive. It was tough to opt for a US product over the British option we had in mind but while UK content is easier to swallow your product offers a degree of system management that is unparalleled. On that basis I can put up with the overly US flavor of training collateral.

I expect your response will point out there is an extensive choice of media to select from, but all in all it’s still peanut butter and jelly, opposed to jam sandwich. You can’t get away from how toned-down British tastes are.

Many thanks for following up, I expect we will see an improvement in the systems reported risk profile for our org when more training has been carried out over the months."
- T.A., IT Director

Note, you are right, we would point out that we have over 400 various British English training items in the ModStore, including seasons of live action videos Inside Man and Tuesdays with Bernie. You can see all this yourself with a free ModStore pass:
https://www.knowbe4.com/training-preview
The 10 Interesting News Items This Week
    1. U.S. Intelligence: China Opposes Trump Reelection; Russia Works Against Biden:
      https://www.npr.org/2020/08/07/900245813/u-s-intelligence-warns-china-opposes-trump-reelection-russia-works-against-biden

    2. China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI:
      https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/

    3. The Secrets of Russia’s Propaganda War, Revealed:
      https://www.themoscowtimes.com/2017/03/01/welcome-to-russian-psychological-warfare-operations-101-a57301

    4. Hacked government, college sites push malware via fake hacking tools:
      https://www.bleepingcomputer.com/news/security/hacked-government-college-sites-push-malware-via-fake-hacking-tools/

    5. Ransomware: These warning signs could mean you are already under attack:
      https://www.zdnet.com/article/ransomware-these-warning-signs-could-mean-you-are-already-under-attack/

    6. Hackers can eavesdrop on mobile calls with $7,000 worth of equipment:
      https://arstechnica.com/information-technology/2020/08/your-mobile-calls-may-be-vulnerable-to-a-new-revolting-eavesdrop-attack/

    7. Super cool story. The quest to liberate $300,000 of bitcoin from an old ZIP file:
      https://arstechnica.com/information-technology/2020/08/the-quest-to-liberate-300000-of-bitcoin-from-an-old-zip-file/

    8. The Hamilton 2.0 Dashboard – Alliance For Securing Democracy provides a summary analysis of the narratives and topics promoted by Russian, Chinese, and Iranian government officials and state-funded media:
      https://securingdemocracy.gmfus.org/hamilton-dashboard/

    9. NCC Group admits its training data was leaked online after folders full of CREST pentest certification exam notes posted to GitHub:
      https://www.theregister.com/2020/08/11/ncc_group_crest_cheat_sheets/

    10. HostingAdvice wrote: "How KnowBe4 Helps Companies and Employees Adopt a Security Mindset Through Awareness Training and Simulated Attacks":
      https://www.hostingadvice.com/blog/knowbe4-trains-companies-to-defend-against-cyberattacks/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews