CyberheistNews Vol 10 #49 [Eye Opener] How Many Phishing Sites? A Whopping 2 Million in 2020 So Far




CyberheistNews Vol 10 #49
[Eye Opener] How Many Phishing Sites? A Whopping 2 Million in 2020 So Far

Google has flagged 2.02 million phishing sites since the beginning of the year, averaging forty-six thousand sites per week, according to researchers at Atlas VPN. The researchers note that the number of phishing sites peaked at the start of the year, which correlates with the start of the pandemic.

“Data also reveals that in the first half of 2020, there were two huge spikes in malicious websites, reaching over 58 thousand detections per week at the peaks,” the researchers write. “The second half of the year seems more stable, which is not a positive thing, as there are around 45 thousand new copy-cat websites registered every seven days.”

Atlas VPN says the number of new phishing sites has been steadily increasing each year since 2015, but it’s now higher than it’s ever been. Google and other companies do a good job of tracking down malicious sites, but attackers can easily scale their operations and set up new sites to stay ahead of efforts to shut them down. New-school security awareness training enables your employees to spot these sites on their own.

Full Post with links:
https://blog.knowbe4.com/how-many-phishing-sites-over-2-million-in-2020-so-far
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, December 2 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users:
  • NEW! AI Recommended training suggestions based on your users’ phishing security test results.
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
  • NEW! Easy user management using Active Directory Integration or SCIM Integration.
  • NEW! The first 2021 Training Modules were just published in the ModStore.
  • Did You Know? You can upload your own SCORM training modules into your account for home workers.
Find out how 35,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, December 2 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2774954/8E21934A006EC795A61056E8DBE28B42?partnerref=CHN2
[Heads-Up] A Hacker Is Selling Access to the Email Accounts of Hundreds of C-Level Executives

ZDNet's Zero Day column just reported one of the best reasons why you should step your users through new-school security awareness training yet: "A threat actor is currently selling passwords for the email accounts of hundreds of C-level executives at companies across the world. The data is being sold on a closed-access underground forum for Russian-speaking hackers named Exploit.in, ZDNet has learned this week.

The threat actor is selling email and password combinations for Office 365 and Microsoft accounts, which he claims are owned by high-level executives occupying functions.

Access to any of these accounts is sold for prices ranging from $100 to $1,500, depending on the company size and user's role. A source in the cyber-security community who agreed to contact the seller to obtain samples has confirmed the validity of the data and obtained valid credentials for two accounts, the CEO of a US medium-sized software company and the CFO of an EU-based retail store chain.

The source, which requested that ZDNet not use its name, is in the process of notifying the two companies, but also two other companies for which the seller published account passwords as public proof that they had valid data to sell. These were login details for an executive at a UK business management consulting agency and for the president of a US apparel and accessories maker.

I don't have to tell you the risks that this brings related to CEO fraud, also known as Business Email Compromise.

Full post with links:
https://blog.knowbe4.com/heads-up-a-hacker-is-selling-access-to-the-email-accounts-of-hundreds-of-c-level-executives
See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us TOMORROW, Wednesday, December 2 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we’ve added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: TOMORROW, Wednesday, December 2 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2774913/3230ED76A39AAFD4B42FAB25D77F9432?partnerref=CHN2
Cruel Phishing Attack: "You're Fired" (Not Really, Just Hacked)

The operators of the BazarLoader malware are using phishing emails that inform people they’ve been terminated from their jobs, according to Linn Freedman, a partner at Robinson & Cole LLP, writing for the National Law Review.

These types of attacks are particularly effective (and cruel) during the COVID-19 pandemic, since many people are worried about losing their jobs.

“The scheme works like this: an email is sent to an employee from an authority in the Human Relations department stating that the individual has been terminated,” Freedman explains. “An attachment to the email provides further information about the termination and the severance payout, which appears to be on Google Docs.

When the victim clicks on the attachment, they are directed to a fake Google Docs page and told to click on another link. When they click on that link, they are directed to a URL to download a file.”

Freedman writes that many employees would be tempted to open such an email, even if they think it’s unusual or suspicious. “Just as ending a relationship with an email or a text message is bad form, employers don’t usually terminate employees with an email,” Freedman says. “Nonetheless, since a message that appears to address a termination is so drastic and final, it is hard to resist opening it, if only to see if your severance is mentioned in the email.”

Freedman offers the following advice for users:
  • “Be wary of termination emails—if you receive one, it is probably fake.
  • “If you really are terminated, Human Resources will get in touch with you one way or the other.
  • “Continue to be vigilant about phishing schemes and spoofing campaigns using executives’ identities.
  • “Think twice before you click or say ‘I agree.’
  • “Don’t open any attachments or click on any links that you are not expecting.
  • “Pick up the phone to confirm suspicious emails, links or attachments.”
Only one employee has to fall for one of these phishing attacks for an attacker to gain a foothold on your network. New-school security awareness training gives your organization an essential last layer of defense by enabling your employees to make smarter security decisions.

Story at National Law Review:
https://www.natlawreview.com/article/privacy-tip-260-don-t-fall-worrisome-termination-email-sent-your-boss
[New Webinar] When the Bad Guys Hide in Plain Sight: Hacking Platforms You Know and Trust

Today’s hackers are concealing their attacks in places you wouldn’t expect… utilizing tools your users know and trust to deliver their malicious payloads. Secure email services with end-to-end encryption and cloud storage solutions like Google Drive just aren’t as trustworthy as your end users believe.

In this exclusive webinar Kevin Mitnick, KnowBe4’s Chief Hacking Officer and Perry Carpenter, KnowBe4’s Chief Evangelist & Strategy Officer will show you why your users should think twice before trusting seemingly benign emails.

In this session we’ll share:
  • Why you shouldn’t always trust legitimate providers like Google Drive
  • How hackers use safe email senders to bypass email security tools
  • The hidden dangers of storing passwords in your browser
  • Actual phishing attacks we’re seeing in the wild
  • Eye-opening hacking demos you won’t want to miss
See the dangers lurking behind seemingly innocent actions for yourself. And earn CPE credit just for attending.

Date/Time: Wednesday, December 9 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2853614/E894F6D953E3C0AF992386ABA9B9D45B?partnerref=CHN1

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: [FUN] How many passes does the team in white make? Check your own awareness with this test! Same is true for social engineering:
https://www.flixxy.com/test-your-awareness-do-the-test.htm?utm_source=4



Quotes of the Week
"It had long since come to my attention that people of accomplishment rarely sat back and let things happen to them. They went out and happened to things."
– Leonardo da Vinci (1452 – 1519)



"You have to have a dream so you can get up in the morning."
- Billy Wilder - Director (1906 - 2002)


Thanks for reading CyberheistNews

Security News
The Risk of the “To” Line

Micropayments company Coil accidentally exposed at least a thousand of its customers’ email addresses by including their addresses in the “To” field of an email, BleepingComputer reports. The email in question concerned updates to the company’s privacy policy (many observers have noted the irony).

It’s not clear how many email addresses were exposed, but BleepingComputer suspects it was more than a thousand. “On taking a closer look, they noticed at least 1,000 emails were included in the announcement,” the publication says. “It is likely other users saw a different set of email addresses listed in the To or CC fields, assuming the mass announcement was emailed in batches of 1,000.”

Coil’s founder and CEO Stefan Thomas apologized in a statement, saying the incident was caused by human error. “Earlier this evening we sent you an email updating you on changes to our Terms & Privacy Policy,” Thomas said. “Unfortunately, due to a human error related to how we interface with our mailing list provider, a number of users' email addresses were populated alongside yours.

This mistake is especially painful as we take privacy extremely seriously -- it is the cornerstone of our values. We’re deeply sorry and hope you can forgive us for this mistake. We’re here to help you with any concerns or issues you may have as a result of this error.”

BleepingComputer notes that these types of privacy breaches are fairly common, with at least two other incidents occurring in the past few weeks. “Last week, Rakuten had erroneously emailed multiple customers, stating the customers had earned cashback, only to recall their words later,” BleepingComputer says.

“In October, a Home Depot email blunder had exposed hundreds of customer orders and personal information to strangers CC'd in emails.” It’s not just the incoming mail that can be a problem. The outgoing mail carries its own risks.

New-school security awareness training can reduce the risk of both malicious and accidental incidents by teaching your employees to be vigilant when dealing with emails and other forms of communication.

Story at BleepingComputer:
https://www.bleepingcomputer.com/news/security/coil-payments-platform-leaks-user-emails-in-privacy-policy-update/
Credential-Stealing VPN Exploits

A hacker has published an exploit for a critical vulnerability in Fortinet VPN devices, along with a list of 49,577 vulnerable devices, BleepingComputer reports. Fortinet released a patch for the flaw in May 2019, but many devices remain vulnerable.

The flaw (CVE-2018-13379) can allow an unauthenticated attacker to download system files, including passwords, from vulnerable Fortinet VPNS. In fact, the hacker in this case claims to have already obtained the login credentials for the vulnerable devices on the list.

BleepingComputer says this access will most likely be exploited by ransomware operators to gain access to networks. BleepingComputer adds that a number of well-known public and private sector organizations are on the hacker’s list.

“After analyzing the list, it was found that the vulnerable targets included government domains from around the world, and those belonging to well-known banks and finance companies,” BleepingComputer says. “As observed by BleepingComputer, out of the 50,000 domains, over four dozen belonged to reputable banking, finance, and governmental organizations.”

The hacker’s post was discovered by a threat intelligence analyst known on Twitter as “Bank_Security,” who told BleepingComputer that thousands of companies around the world were on the list.

“This is an old, well known and easily exploited vulnerability,” Bank_Security said. “Attackers already use it for a long time. Unfortunately, companies have a very slow patching process or an uncontrolled perimeter of exposure on the internet, and for this reason, attackers are able to exploit these flaws to compromise companies in all sectors with relative simplicity.”

In cases where patching these devices isn’t possible or can’t be accomplished quickly, implementing multifactor authentication can at least mitigate this vulnerability. (And multifactor authentication should be enabled wherever possible, even after the flaw has been patched.) New-school security awareness training can create a culture of security within your organization, enabling your employees to keep up with the latest security threats.

Story:
https://www.bleepingcomputer.com/news/security/hacker-posts-exploits-for-over-49-000-vulnerable-fortinet-vpns/
What KnowBe4 Customers Say

"Back on Feb 15, 2019, we started this program with a baseline phishing test that gave us a 21.4% Phish Prone Percentage, which could have cost the county several million dollars in the event it led to a successful breach. I am happy to report that our last 2-week phishing campaign we scored 0% phish prone as an organization.

Some users have expressed a concern that this program is not needed as we are not attacked. I can tell you that this is false. If we just look at email, we can see this is not true. Since December of 2019, (10 months) we have received 2,596,222 emails. Of this nearly 2.6 million emails, we caught 16,051 viruses, filtered 1,221,786 spam emails and allowed 1,358,385 “valid” emails.

That means that only 55.5% of the email actually makes it through and anyone with an email account knows that some spam still gets through. Unfortunately, so do some threats. Of the nearly 2000 emails that have been reported to PhishER, just under 300 were actual phishing threats that contained a dangerous payload and that where received by a user here.

We're not sure how many where not reported. Prior to starting this program, we had several successful Phishing and Spear Phishing attacks here that had a financial impact. Since starting this program, we have had ZERO reported successful Phish and Spear Phish attacks. This is almost exclusively because we have changed our behavior." {edited for brevity}
- K.A., Director of Information Technology
The 10 Interesting News Items This Week
    1. NYT story - The Teenager Who Hacked Twitter and Brought It to Its Knees:
      https://www.nytimes.com/article/the-teenager-who-hacked-twitter.html

    2. Pharma on the hook: cyberattackers phishing for your secret formulas:
      https://blog.lookout.com/pharma-report-3-out-of-4-phishing-attacks-attempt-to-deliver-malware

    3. Hacker behind audacious $1 million airplane scam arrested in the US:
      https://www.teiss.co.uk/hacker-behind-airplane-scam-arrested/

    4. Maze Ransomware Influenced LockBit's New Data Leaks Website:
      https://securityintelligence.com/news/maze-ransomware-influenced-lockbits-new-data-leaks-website/

    5. Why Security Awareness Training Should Be Backed by Security by Design:
      https://www.darkreading.com/threat-intelligence/why-security-awareness-training-should-be-backed-by-security-by-design/d/d-id/1339538?

    6. The vast percentage of organizations do not do their risk right. Take 2 minutes to listen to Roger Grimes that every person in computer security should commit to memory and every organization should understand and follow:
      https://www.linkedin.com/feed/update/urn:li:activity:6737367752962514945/

    7. GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services:
      https://krebsonsecurity.com/2020/11/godaddy-employees-used-in-attacks-on-multiple-cryptocurrency-services/

    8. FBI warns of recently registered domains spoofing its sites:
      https://www.bleepingcomputer.com/news/security/fbi-warns-of-recently-registered-domains-spoofing-its-sites/

    9. Another 'Minecraft' lesson for kids: Beware of deceitful adware apps:
      https://www.cyberscoop.com/minecraft-mods-adware-kaspersky/

    10. TrickBot turns 100: Latest malware released with new features:
      https://www.bleepingcomputer.com/news/security/trickbot-turns-100-latest-malware-released-with-new-features/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews