CyberheistNews Vol 10 #44 [FUN DEPARTMENT] The Ultimate Cyber Security Tip




CyberheistNews Vol 10 #44
[FUN DEPARTMENT] The Ultimate Cyber Security Tip

Our highly popular Security Awareness Advocate Javvad came out with a new 1-minute video that will at the very least entertain you and just might be the highlight of your day. :-D

"It’s Cyber Security Awareness Month, and the security advice is flowing out from all corners of the web to advise your users on remaining secure. However, all this information can be overwhelming for some, so the question is, can advice be simplified into a few, or even one pearl of wisdom for your users?

I think it can. Check out this video explaining what I consider to be the ultimate cyber security awareness tip."

Link to Blog Post with the brand new 'Rudeness Vs Security Ratio' graph and Javvad's new YouTube Video.

Send this link to your friends for a good chuckle:
https://blog.knowbe4.com/the-ultimate-cyber-security-tip
Lessons Learned: An IT Pro’s Experience Building His Last Line of Defense

This is the true story of an IT Manager who was tired of his users clicking everything and wanted to teach them a lesson… in a good way.

Join us as we talk with Tory Dombrowski, IT Manager at Takeform about his experiences and lessons learned while delivering a security awareness training program for his users. See how he has fun with phishing, how he creates allies in the fight against careless clicking, and why security awareness training is his organization’s best, last line of defense.

Tory and Erich Kron, KnowBe4's Security Awareness Advocate will dive deep to share best practices and creative ideas to inspire you and your own security awareness program.

In this webinar you'll hear:
  • Why it's so important to empower your users to become a "human firewall"
  • Ideas for gaining and maintaining executive support
  • The good, the bad, and the truly hilarious results of training and testing your users
  • Tips for success when implementing your own security awareness strategy
Date/Time: TOMORROW, Wednesday, October 28 @ 2:00 (ET)

Save My Spot!
https://event.on24.com/wcc/r/2775221/1D3D03B4B9E950E0914FDBE24590E642?partnerref=CHN2
Cybersecurity Awareness Month Weekly Tip: Social Media Safety

Each week during Cybersecurity Awareness Month, we have been sharing in-depth weekly cybersecurity tips from our informative advocates to help your users make smarter security decisions and build your cybersecurity fortress from anywhere!

As a security professional for over 20 years, we knew Security Awareness Advocate Javvad Malik would be fit for the job to explain this weekly cybersecurity tip. Javvad is no stranger to social media, with a YouTube channel, a popular podcast, a blog, and popular social media accounts. That is why this week's tips are focused on Social Media Safety.

First of all, it is more important than ever to be careful of anything that you post on social media. The internet is a treasure trove of personal information that can be used against you. Carefully crafted phishing emails can be targeted to you just by seeing what's publicly available on your Facebook profile.

Make sure you consistently reset your passwords on any of your social media accounts. Do not share your logins to your social media accounts with anyone. In short, just be mindful about what you post, and who you share anything with.

Check out this helpful 1-minute video from Javvad as he explains his top social media tips in further detail, and share with your users:
https://blog.knowbe4.com/cybersecurity-awareness-month-weekly-tip-social-media-safety
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, November 4 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users:
  • NEW! AI Recommended training suggestions based on your users’ phishing security test results.
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
  • Train your users with access to the world's largest library of 1000+ pieces of awareness training content.
  • Send fully automated simulated phishing attacks, including thousands of customizable templates with unlimited usage.
  • Assessments allows you to find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Easy user management using Active Directory Integration or SCIM Integration.
Find out how 35,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, November 4 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2774936/45A06D5D641A9560B69FEB3B671FA46A?partnerref=CHN1
The Risk of Redirector Domains in Phishing Attacks

Researchers at GreatHorn warn that a large-scale phishing campaign is using open redirects to evade email security filters. Open redirects allow attackers to take a URL from a non-malicious website and tack on a redirect, so that when the link is clicked it will take the user to a phishing page.

This results in a phishing link that can fool both humans and technology. A human may inspect the URL and conclude that it will take them to a legitimate site, while security filters will struggle to flag the link as malicious.

“The Threat Intelligence Team described this campaign as a ‘comprehensive and multi-pronged attack,’ with multiple hosting services and web servers being used to host fraudulent Office 365 login pages,” the researchers write.

“Malicious links, delivered via phishing emails to regular users worldwide, are bypassing their email providers’ native security controls and slipping past nearly every legacy email security platform on the market.”

Based on similarities in the phishing emails and malicious sites, GreatHorn believes a single actor is behind the campaign. “The URLs in the phishing emails sent to users vary,” the researchers write. “Some employ redirects; others point directly at the phishing kit pages.

The phishing kit itself uses the same naming structure in nearly all cases: http://t.****/r/, where *** represents the domain. However, the URL path varies across individual messages, as part of a common tactic used to bypass simple blocking rules that prevent these messages from reaching users.”

CONTINUED:
https://blog.knowbe4.com/the-risk-of-redirector-domains-in-phishing-attacks
See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, November 4 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we’ve added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
  • NEW! Assign additional users as approving managers to review task evidence before a task is closed with tiered-level approvals.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Wednesday, November 4 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2774887/E0FD50188B8CE52CAE88B5BA0917B3FD?partnerref=CHN1


Let's stay safe out there, with tens of millions working from home.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Check out this scary new post: "All Con, All the Way Down: Bad Guys Spoof Phishing Link Hover Texts":
https://blog.knowbe4.com/all-con-all-the-way-down-bad-guys-spoof-phishing-link-hover-texts?



Quotes of the Week
"Wherever you go, no matter what the weather, always bring your own sunshine."
- Anthony J. D'Angelo, Author



"If you spend your whole life waiting for the storm, you'll never enjoy the sunshine."
- Morris West, Author



Thanks for reading CyberheistNews

Security News
Threatening Election Emails Land in Florida Inboxes

Eric Howes, KnowBe4 Principal Lab Researcher reported on the 21st: "If you checked the news this morning, you probably noticed a story getting plenty of play on mainstream news sites: threatening election-themed emails sent to recipients in three states, including the perennial swing state of Florida.

Several customers in Florida using the Phish Alert Button (PAB) did indeed report these emails to us yesterday. What follows are some notes and observations about the emails reported to us.

All told, this is a rather ham-handed email campaign, and the ultimate purpose of it remains somewhat of a mystery. Although it is certainly designed to sow fear, confusion, and doubt surrounding the election -- someone is clearly stirring the pot -- the ultimate end game may not be entirely clear unless and until the perpetrators behind it are identified (if indeed they ever are). [The FBI stated it was Iran]

It's worth stressing that the actual danger to individuals is likely very low, although law enforcement authorities at the state and national level have been alerted. Like those Bitcoin blackmail emails we saw back in March/April that threatened to infect email recipients with COVID-19, there is little danger to users or the general public.

As always, we strongly encourage organizations to step their users through new-school security awareness training so that they can anticipate and correctly handle these kinds of emails. And it's worth reminding readers that KnowBe4 does offer a free course for home users (who were targeted in this election-themed email campaign).

In the face of threats designed to sow fear, confusion, and doubt, knowledge and sunlight are the appropriate responses.

Blog Post with detailed observations, links and screenshot:
https://blog.knowbe4.com/threatening-election-emails-land-in-florida-inboxes
How a 14-year CIA Officer Joined KnowBe4 As SVP Cyber Operations

We call it “social engineering” when we talk about the ways in which criminals and others persuade people to act against their own interests. But this human factor is also at the center of the spycraft surrounding both human intelligence and counterintelligence.

On the CyberWire’s Career Notes podcast, Rosa Smothers said her time in the CIA gave her a lot of experience with advanced technology and intelligence work.

“Working at the Agency afforded me the ability to work with a level of cutting edge technology that much, if not most of the private sector is still considering or beginning to work on, things that you do see in the movies,” Smothers said. “I usually say, you know, think of something that's fairly realistic, but somewhat science fictionesque and I may have been involved with something like that.

I was in DC for, I think 14 years total, and a lot of that was overseas and quite frankly, a lot of it was that lifestyle can be exhausting because it's a constant sense of paranoia. You have a constant awareness of [how] our adversaries are pursuing you. So I left the area, moved closer to my family, took a couple of months off just to learn how to live like a normal human being.

And I was in the Tampa area and Stu Sjouwerman discovered I was local and called upon me to join KnowBe4 to work as their Senior Vice President of Cyber Operations. So it was an offer I just couldn't refuse.”

Smothers said her favorite part about working for KnowBe4 is helping people around the world protect themselves from social engineering attacks.

“The favorite part for me is the advocacy aspect of it,” she said. “I am a big believer in what the company's mission is, and it's basically secure the planet. Social engineering is the easiest way into a network. There's a business case for it, but just from a data privacy perspective for our citizens, it's also a huge issue as well.”

So in some respects every organization is up against these challenges all the time. New-school security awareness training can help your employees avoid falling for social engineering attacks by teaching them about the ways in which cybercriminals try to trick them.

The CyberWire has the story:
https://thecyberwire.com/podcasts/career-notes/20/transcript
The Surprising Analysis Where Business Email Compromise Criminals Actually Are

Researchers at Agari have released a report on the global distribution of business email compromise (BEC) actors, and determined that 25% of these criminals are operating from within the United States. This makes the US the second-largest hub for BEC actors in the world.

Criminals in Nigeria still account for the vast majority of BEC attacks, at 50% of the global total. South Africa was third, with criminals there responsible for 9% of these attacks. Agari’s researchers based their findings on incidents in which the attackers failed to anonymize their real-world locations.

“A quarter of the BEC actors we identified globally were located in the US, operating in 45 states and the District of Columbia,” Agari says. “Nearly half these scammers were located in five states: California, Georgia, Florida, Texas, and New York.

Many of the BEC actors in our dataset were clustered around a handful of US cities. The largest of these were based in and around Atlanta, GA, with 7% of all US-based BEC actors operating in this metropolitan area.”

The US government isn’t letting these actors operate unperturbed—the Justice Department has arrested dozens of people allegedly involved in these schemes. Still, the number of BEC attacks originating in the US is notable, considering that Europe only accounts for 6%, the Middle East for 4%, and the Asia-Pacific for 2%.

“It’s well-known that organizations within the United States are preferred targets for BEC actors. Some groups our team has researched, such as Exaggerated Lion, have exclusively targeted US-based businesses, for instance. But it may be surprising to some that a quarter of all BEC actors operate from within the US.”

Agari adds that BEC activity is on the rise in other countries as well. “Because of the impact of BEC attacks globally, law enforcement in Nigeria has become more aggressive in recent years, which has caused BEC actors to migrate to other countries,” the researchers write. “Additionally, the significant return on investment from BEC scams has led far more sophisticated Eastern European cybercrime groups, like Cosmic Lynx, to get into the game.

This only increases the geographic distribution of BEC attack sources.” BEC attacks are extremely profitable, so criminals put a great deal of effort into refining their tactics. New-school security awareness training can help your employees thwart targeted social engineering attacks.

Agari has the story:
https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-geography-of-bec.pdf
New Feature - PhishER Event Integration to KMSAT

We now have a new feature in PhishER! The integration allows you to take incident response information from PhishER and take action on what’s most important to your organization through the creation of Smart Groups in your KnowBe4 platform.

The PhishER events can be used as triggers to step your users through additional targeted and remedial training and simulated phishing tests that need it the most. These events will show up on the user's timeline as a purple custom event.

Below are some example event types and scenarios:
  • Users that haven’t reported any messages (whether simulated or a real threat) in a specific timeframe
  • Users are reporting too many spam messages to your incident response team
  • Users are reporting too many clean and legitimate messages to your incident response team
  • Users are not identifying or reporting dangerous messages they receive and leave them in their mailbox
  • Known email threats sitting in your users’ mailboxes were identified and removed by PhishRIP
What KnowBe4 Customers Say

"I am extremely happy with KnowBe4.

It really opened our eyes as to the lack of attention our employees were paying to emails and security in general.

I found you through Gartner at the 2019 Symposium. I was impressed as all other vendors were pushing security software and hardware but KnowBe4 was the only vendor addressing the real problem, people.

It does nobody any good if you spend $1,000,000 on security auditing, scanning, firewalls, and penetration tests and 1 employee clicks that email. The people are the problem and your product needs to be in every company.

Really, I am that impressed with the content and the ease of use and the price pays for itself in the first time one person decides not to click that link!

We just started using it on for IT needs but plan to extend its use as our learning management system for all employees.

My hats off to KnowBe4 for an outstanding product."

- S.M., Vice President of Information Technology and Security
The 10 Interesting News Items This Week
    1. By Yours Truly in CEOWorld: "5 Ways Fake News is Amplifying Phishing and Fraud":
      https://ceoworld.biz/2020/10/22/5-ways-fake-news-is-amplifying-phishing-and-fraud/

    2. NSA publishes list of top vulnerabilities currently targeted by Chinese hackers:
      https://www.zdnet.com/article/nsa-publishes-list-of-top-25-vulnerabilities-currently-targeted-by-chinese-hackers/#ftag=RSSbaffb68

    3. WSJ Security Experts Alarmed by ‘Broken’ Cyber Market (paywall but great to forward):
      https://www.wsj.com/articles/security-experts-alarmed-by-broken-cyber-market-11603359014?st=9az2qnmm3ifb08i&reflink=article_email_share

    4. 2020 has brought 'a big shift' for cybersecurity as companies' entire existences are at stake, says the CEO of $1.65 billion Darktrace:
      https://www.businessinsider.com/poppy-gustafsson-ceo-darktrace-cybersecurity-global-trends-2020-10

    5. U.S. government concludes Iran was behind threatening emails sent to Democrats. FBI Video:
      https://www.youtube.com/watch?v=233H_v2LlAU

    6. Survey Finds 78% of Risk Managers Now Buying Cyber Insurance:
      https://www.insurancejournal.com/news/national/2020/10/20/587272.htm

    7. And Cyber insurers tighten underwriting, raise prices as ransomware wave hits:
      https://www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/cyber-insurers-tighten-underwriting-raise-prices-as-ransomware-wave-hits-60829821

    8. Bot Generated Fake Nudes Of Over 100,000 Women Without Their Knowledge. Imagine the social engineering risks:
      https://www.cnet.com/news/deepfake-bot-on-telegram-is-violating-women-by-forging-nudes-from-regular-pics/

    9. Cybersecurity company finds hacker selling info on 186 million U.S. voters:
      https://www.nbcnews.com/politics/2020-election/cybersecurity-firm-finds-hacker-selling-info-148-million-u-s-n1244211

    10. Russian cyber-attack spree shows what unrestrained internet warfare looks like:
      https://www.theguardian.com/technology/2020/oct/19/russian-hackers-cyber-attack-spree-tactics
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.



Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews