CyberheistNews Vol 10 #48 [Scam of the Week] Black Friday & Cyber Monday Top 10 Cybersecurity Tips




CyberheistNews Vol 10 #48
[Scam of the Week] Black Friday & Cyber Monday Top 10 Cybersecurity Tips

The bad guys are at it again with holiday phishing scams, and this time from the comfort of your user's home. Because we are in the middle of a pandemic, retailers have already started online Black Friday deals that attract scammers.

Cyber Monday will also be bigger than ever before. That means you and your users need to be extra cautious when shopping online over the Black Friday and Cyber Monday weekend.

According to TechCrunch, estimates of ecommerce growth rates by 18% will continue to increase during the holiday season. The growth in e-commerce will result in an increase of online scams. Since the beginning of November, Checkpoint research showed the first half of November already showed an 80% increase in phishing campaigns relating to sales & shopping special offers.

I suggest you send this reminder to your users, friends and family. Feel free to edit, copy/paste:

"It's Holiday Season for the bad guys too! But not the way you might think. They go into scam-overdrive mode. Black Friday and Cyber Monday are the busiest online shopping days and the bad guys are planning to get rich with your money. So, here are this year's Top 10 Holiday Cybersecurity Alert Tips:
  1. Keep all devices up to date with basic security measures to lessen your chance of becoming the victim.
  2. Only connect to known Wi-Fi networks; beware of network names that have typos or extra characters.
  3. Use strong, unique passwords on all accounts. This is a good time to update passwords!
  4. Be safe on all social media; don't overshare and take the time to review your privacy settings on the platforms you use.
  5. Keep an eye on your bank accounts and monitor your credit report regularly.
  6. Be careful with messages regarding shipping changes. Always use official channels to stay updated.
  7. Watch out for holiday greeting cards that may not be the sender you think! Don't open these unless you're certain you can trust who they came from.
  8. Keep devices in view (or know where they are) throughout the course of all holiday travel.
  9. Pay close attention to the websites you visit and shop on. It's safest to only use those you trust.
  10. Be wary of ads, giveaways, and contests that seem too good to be true. These run rampant during the holiday season!
You can download the tip sheet here to share with your users as well. For KnowBe4 customers, we have the following phishing template subjects available:
  • Pandora Black Friday Special! (Link)
  • Amazon: Black Friday Deal, $50 Off Your $100 Order (Link)
  • Best Buy: Limited time only: Claim your FREE $50 Black Friday Coupon! (Link)
  • Google Calendar: Invitation for Black Friday (Link) (Spoofs Domain)
  • Amazon: Cyber Monday $50 Credit Offer! (Link)
  • Best Buy: Secret Cyber Monday Deal - $100 Best Buy Voucher (Link)
These templates are available in our System Templates under the Current Events phishing template category. Since this year is unprecedented, do not let the bad guys exploit your holiday spirit and use it against you. Remember to stay alert when you shop online, and to Think Before You Click!

Blog Post:
https://blog.knowbe4.com/scam-of-the-week-black-friday-cyber-monday-top-10-cybersecurity-tips
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, December 2 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users:
  • NEW! AI Recommended training suggestions based on your users’ phishing security test results.
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
  • NEW! Easy user management using Active Directory Integration or SCIM Integration.
  • NEW! The first 2021 Training Modules were just published in the ModStore, see item below.
  • Did You Know? You can upload your own SCORM training modules into your account for home workers.
Find out how 35,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, December 2 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2774954/8E21934A006EC795A61056E8DBE28B42?partnerref=CHN1
Nearly Half of Spear Phishing Emails Bypass Security Filters

47% of payloadless phishing emails are able to bypass the most popular secure email gateways (SEGs), according to researchers at IronScales. These are emails that don’t contain malicious links or attachments, but instead try to manipulate the user in a more targeted manner.

“The overwhelming majority of email phishing attacks are now driven by social engineering messages aimed at prompting an action, and distributed via advanced phishing techniques such as business email compromise (BEC), VIP/CEO impersonation and other forms of email spoofing and fraud,” the researchers write.

“From an attacker’s perspective, the transition from spear-phishing emails packed with malicious payloads to social engineering was a no brainer.”

The researchers explain that spear phishing is much more effective because the most popular secure email gateways “were not built to analyze the language within an email and decipher a message’s context and intent.”

“The phishing attack technique with the greatest penetration rate was sender name impersonations, which occur when an email masquerades as coming from a trusted source, such as a colleague, friend or family member,” IronScales says.

“Sender name impersonations accounted for 30% of all SEG penetrations, which represents a 6% increase from our 2019 analysis. Domain name impersonations, which occurs when an email is from a similar domain, in which attackers register the domain to set the right authentication records in the DNS, accounted for 25% of penetrations.

This represents a 23% increase from our 2019 research. VIP impersonations, such as CEO spoofs, and fake login pages came in at 22% and 16%, respectively.” Technical defenses are useful and have improved greatly over the years. As security technology improves, however, attackers have shifted to more targeted social engineering attacks that won’t be flagged by these defenses.

Full post with links to source:
https://blog.knowbe4.com/nearly-half-of-spear-phishing-emails-bypass-security-filters
See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, December 2 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we’ve added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Wednesday, December 2 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2774913/3230ED76A39AAFD4B42FAB25D77F9432?partnerref=CHN1
Google's Free Services and Phishing Campaigns: A Likely Pair

Cybercriminals are now launching phishing campaigns that abuse Google's free productivity tools while also using social engineering to trick users into installing malware.

Some of Google's free offerings range from documents, spreadsheets, online forms, and free websites. These tools are primarily used by the education sector, which can be an easy target for the bad guys to infiltrate. A new report released by email security firm ArmorBlox showed how the bad guys are creating these elaborate campaigns that look convincing but avoid any detection of a scam.

To protect your organization from these types of attacks, it's important your users observe subject sensitive emails, especially when it's related to money.

They should treat all email that have links and/or attachments as suspicious, and report any unsuspecting email to your security team, ideally using the Phish Alert Button (PAB) email client add-in.

Blog Post with screenshot and links:
https://blog.knowbe4.com/googles-free-services-and-phishing-campaigns-a-likely-pair

Link to the no-charge PAB:
https://www.knowbe4.com/free-phish-alert
Do You Know if New Ransomware Attacks Can Bypass Your Network Defenses?

The bad guys continue to demand larger ransoms and are getting more insidious on how they target your organization and take advantage of vulnerable users. A new ‘name-and-shame’ ransomware is responsible for a significant increase in ransomware attacks this year as evidenced by two popular ransomware families - Maze and DoppelPaymer.

That’s why we've updated our Ransomware Simulator tool “RanSim” to add another two new ransomware scenarios you can test on your network! These new scenarios simulate ransomware strains that exploit known security vulnerabilities in Windows, use vulnerable VPNs and remote desktop servers, and can easily bypass your endpoint security and AV filters.

Try KnowBe4’s NEW Ransomware Simulator tool and get a quick look at the effectiveness of your existing network protection against the latest threats. RanSim will simulate 20 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable to infection.

Here's how RanSim works:
  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 21 types of infection scenarios
  • Just download the install and run it
  • Results in a few minutes!
This is complimentary and will take you 5 minutes.

RanSim may give you some insights about your endpoint security you never expected!

Download RanSim!
https://info.knowbe4.com/ransomware-simulator-tool-1chn
Help Your Friends Stay Safe This Holiday Season With KnowBe4

Got any IT friends that don't use the KnowBe4 platform yet? Give them an effective security gift and tell them about the new no-charge holiday kit!

Perhaps have a vendor that you are worried about because they don't train their users? Send them the following or just the link to the blog post at the end:

This holiday season may be a little different this year, but users will still be focused on holiday activities. The bad guys are taking advantage of holiday distractions and use social engineering tactics to trick your users into becoming the next victim.

Phishing emails about shipping notifications and e-cards have already flooded inboxes and can be easily missed. Users are even more likely to click on these types of emails, especially from home.

That’s why this holiday season we have a brand-new resource kit available for you and your end users!

It’s the busiest time of year for everyone, especially cybercriminals. They know surges in online shopping and time constraints can make it easier to catch users off their guard with relevant schemes. We’ve put together a free holiday resource kit which includes a free training video, new infographics, awareness posters, and a video on common holiday scams.

Happy Holidays from KnowBe4. We hope everyone stays safe this holiday season. Grab your free kit here:
https://blog.knowbe4.com/free-resource-kit-stay-safe-this-holiday-season-with-knowbe4

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc



Quotes of the Week
"If you light a lamp for someone else it will also brighten your path."
- Buddha, (563 - 483 BC)



"I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me. And when it has gone past, I will turn the inner eye to see its path. Where the fear has gone, there will be nothing. Only I will remain."
- Frank Herbert, Author of DUNE



Thanks for reading CyberheistNews

Security News
Why Use Malware When You Can Use Social Engineering?

Researchers at Malwarebytes warn that a malvertising campaign they call “malsmoke” has stopped deploying exploit kits and is now using social engineering attacks to trick users into installing malware.

The threat actor behind this campaign generally targets high-traffic adult websites. In the latest campaign, the attackers began using web pages that purport to contain an adult video, and inform users that they’ll need to install a Java plugin in order to view the video.

“Starting mid-October, the threat actors behind malsmoke appear to have phased out the exploit kit delivery chains in favor of a social engineering scheme instead,” the researchers write. “The new campaign is tricking visitors to adult websites with a fake Java update.

This change is significant because it drastically increases the target audience, no longer limiting it to Internet Explorer users running outdated software.” The use of social engineering also gives the attackers flexibility in how they target their victims, and enables them to improve upon their techniques in the future.

“The threat actors could have designed this fake plugin update in any shape or form,” Malwarebytes says. “The choice of Java is a bit odd, though, considering it is not typically associated with video streaming. However, those who click and download the so-called update may not be aware of that, and that’s really all that matters.”

Malwarebytes concludes that social engineering schemes will remain relevant, since they’re cheaper and often more efficient than technical exploits.

“In the absence of high value software vulnerabilities and exploits, social engineering is an excellent option as it is cost effective and reliable,” the researchers explain. “As far as web threats go, such schemes are here to stay for the foreseeable future.”

Technical vulnerabilities can always be patched, but humans need to receive education to combat social engineering attacks. New-school security awareness training can help your employees stay ahead of these evolving tactics.

Malwarebytes has the story:
https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/
Phishing in Facebook's Pond

A scam targeting Facebook users duped hundreds of thousands of people out of their money and information, according to researchers at vpnMentor. The researchers discovered an exposed Elasticsearch database the scammers were using to store information taken via phishing attacks.

This information included:
  • “Facebook login credentials (usernames and passwords) for between 150,000 to 200,000 accounts on Facebook.
  • “Text outlines for comments the fraudsters would make on Facebook hosts, via a hacked account, directing people to suspicious and fraudulent websites.
  • “Personally Identifiable Information (PII) data such as emails, names, and phone numbers from 100,000s of people who’d registered at a fraudulent Bitcoin site also run by the fraudsters.
  • “Domains for the websites used in the scam.
  • “Technical information about how the fraudsters had automated their processes.”
All of this information was stolen in just four months, between June and September of 2020. It’s worth emphasizing that since the scammers misconfigured their database, this information was publicly available to anyone who stumbled across it, not just the scammers who stole it in the first place.

One cannot expect sound cyber hygiene, after all, from the underworld. The researchers also describe how the scam worked. The first stage of the scheme used spoofed Facebook login pages telling people they could find out who viewed their profile if they entered their credentials.

Once they clicked “Log In,” their credentials would be sent to the scammers and stored in the database, while the victims would be redirected to a fake Facebook app in the Google Play store. (It’s not clear if this app itself was malicious or if it was just a decoy to prevent the victims from realizing they’d been phished.

Next, the scammers would log in to the victims’ Facebook accounts and comment links to Bitcoin scams on their friends’ posts. These links led to websites that directed people to deposit nearly $300 (€250) in order to begin trading.

New-school security awareness training can help your employees recognize the signs of a scam, even if it’s sent to them by a trusted contact.

vpnMentor has the story:
https://www.vpnmentor.com/blog/report-facebook-scam/
KnowBe4 ModStore Release Announcement: New 2021 Versions of 3 Flagship Courses Now Live!

Our Courseware team has been hard at work, and we're proud to announce the release of the 2021 Versions of 3 Flagship Courses!

The following modules include:
  • 2021 Common Threats
  • 2021 Social Engineering Red Flags
  • 2021 Kevin Mitnick Security Awareness Training - 15 minutes
While 2020 might have been a tough year, these modules are better than ever. But wait, there is more! In Q1 2021, 2021 Social Engineering Red Flags is going to be translated into the top 10 languages and the 2021 Kevin Mitnick Security Awareness Training - 15 minutes is going to be translated into 34 languages.

Here is to a bright, informative, and engaging 2021. Get a free preview of the ModStore now and take that next step!
https://blog.knowbe4.com/modstore-release-new-2021-versions-of-3-flagship-courses-now-live
What KnowBe4 Customers Say

"Stu, I support cybersecurity efforts at our Association, and I’d like to express my gratitude and appreciation to you and your customer success teams. We really appreciate the way you prioritize this within your organization.

My CS representative, Tyler has been stellar! He is always super helpful, and last month when I was busy with cybersecurity events, he even took it upon himself to create a custom group of employees within my console for me. That is above and beyond support, and unlike what I receive from other 3rd party groups I deal with.

So thank you for your leadership, and kudos to Tyler and all the others that help us keep our organizations safe!"
- T.C., IT Cybersecurity



I have recently become the KnowBe4 admin. I wanted to let you know that Shannon has been the most helpful customer success manager I have ever worked with. She is quick to respond to my emails and when needed I can always schedule Zoom calls with her within 24 hours of me needing help. It has been a pleasure to get to work with her and I wanted to make this apparent to her managers."
- P.S., IT Helpdesk



"We have been a customer of KnowBe4 for several years and are very pleased with the products. I started off by creating several video training campaigns, then my co-worker took it a step further by adding phishing tests. We felt as if we had a pretty good handle on the platform and were receiving good data back.

It wasn’t until AylaH became our success manager that we became even more impressed. She quickly guided us through adding smart groups and how to better interpret our scores. Working with Ayla is an absolute pleasure!

In my opinion, she has a great mix of customer service, professionalism, passion, institutional knowledge and has great personality, to boot. We belong to a regional IT peer group, where we have presented KnowBe4 and our success as an organization with it and have received numerous compliments and positive feedback on our efforts.

Interestingly, we cannot take all the credit as Ayla deserves a portion as well. It is refreshing to have the confidence that she is truly committed to making us better, which in turn keeps our staff and company safe from cybercriminals. We hope Ayla will continue to be our success manager, but will understand if she were to be promoted, as most exceptional employees do. Thank you for your time!"
- M.D., IT Technician
The 11 Interesting News Items This Week
    1. The worst passwords of 2020 show we are just as lazy about security as ever:
      https://www.zdnet.com/article/the-worst-passwords-of-2020-show-we-are-as-lazy-about-security-as-ever/

    2. FireEye Predicts Ransomware Will Evolve and Expand in 2021:
      https://www.securityweek.com/fireeye-predicts-ransomware-will-evolve-and-expand-2021?

    3. Why ransomware is still so successful: Over a quarter of victims pay the ransom:
      https://www.crowdstrike.com/blog/global-security-attitude-survey-takeaways-2020/

    4. Phishing Awareness Training & Best Practices Explained at AT&T Cybersecurity:
      https://cybersecurity.att.com/blogs/security-essentials/phishing-awareness-training-explained

    5. The UK created a secretive, elite hacking force. Here’s what it does:
      https://www.wired.co.uk/article/national-cyber-force-uk-defence-gchq

    6. Insurer Allianz: "Business interruption drives 60% of cyber losses":
      https://www.businessinsurance.com/article/20201119/NEWS06/912337901/Business-interruption-drives-60-of-cyber-losses-Allianz

    7. LinkedIn phishing scams most clicked with a 47% open rate in Q3 2020:
      https://atlasvpn.com/blog/linkedin-phishing-scams-most-clicked-with-a-47-open-rate-in-q3-2020

    8. The ransomware landscape is more crowded than you think:
      https://www.zdnet.com/article/the-ransomware-landscape-is-more-crowded-than-you-think/

    9. Ransomware top loss cause for small, medium business:
      https://www.businessinsurance.com/article/20201117/NEWS06/912337843/Ransomware-top-loss-cause-for-small,-medium-business-NetDiligence

    10. Human error blamed in Welsh Covid-19 patient data leak:
      https://www.computerweekly.com/news/252492123/Human-error-blamed-in-Welsh-Covid-19-patient-data-leak

    11. BONUS Robot Vacuums Suck Up Sensitive Audio in ‘LidarPhone’ Hack:
      https://threatpost.com/robot-vacuums-audio-lidarphone-hack/161421/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog


Ransomware Hostage Rescue Manual




Get the latest about social engineering

Subscribe to CyberheistNews