CyberheistNews Vol 11 #01
Security vendor CheckPoint provides some fresh insights into what your organizational cybersecurity priorities are for next two years, as well as choke points where cybersecurity is going to be especially challenging.
It’s no secret; cybersecurity has become much harder this year. The pandemic has taken a toll on every organization’s cybersecurity posture, making it more difficult as more of your users work from home and cybercriminals step up their game to take advantage of this “new normal.”
New survey data from CheckPoint highlights where the problems are and what organizations are planning to do about it:
- 58% of organizations feel they are facing an increase in cyberattacks since the pandemic
- 95% say they changed security strategies mid-year
- The two biggest security challenges are remote workers (47% of orgs) and protecting against phishing and social engineering attacks (42%)
- Securing remote working is the top priority for the next two years (cited by 61% of orgs)
- Half of orgs say their new security approach is here to stay, even after the pandemic subsides
If your organization does not want to be another SolarWinds you need to get serious about how you will maintain the same levels of security you enjoyed up until recently with most of your users inside your corporate network, now that a material portion of your workforce is WFH.
Making sure that your users are a strong last line of defense is going to be the critical element to determine whether your org is truly secure moving into 2021.
Did you know that the KnowBe4 platform has a built-in Learning Management System (LMS) that you can upload your own training modules into? This way you can run training campaigns on anything your remote users need training on.
Blog post with links to CheckPoint research:
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us THIS WEEK, Thursday, January 7 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at new features and see how easy it is to train and phish your users:
- NEW! AI Recommended training suggestions based on your users’ phishing security test results.
- NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
- Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
- NEW! The first 2021 Training Modules were recently published in the ModStore.
- Did You Know? You can upload your own SCORM training modules into your account for home workers.
Date/Time: THIS WEEK, Thursday, January 7 @ 2:00 PM (ET)
Save My Spot!
By Roger Grimes. It’s an extra challenging year, harder than most, to choose the most impactful cybersecurity events. The year ended with a bang – the SolarWinds supply chain attack – which possibly impacted up to 18,000 potential victims, including almost all of the Fortune 500, involved a top-tier computer security vendor, at least a half-dozen top U.S. government agencies, and essentially brought the long feared, nation-state-sponsored, supply chain attack into reality.
The SolarWinds attack was notable for a bunch of other reasons, including that it went undetected by everyone for over half a year and that it is one of the few attacks that may have not started with a phishing attack; although we still don’t know how SolarWinds was first compromised, so who knows?
Phishing attacks are involved in 70% to 90% of all malicious data breaches and it has been that way for decades.
With that said, I decided to pick out the top attacks of 2020 which involved phishing, and some of them aren’t specific attacks, but trends.
- Ransomware Gone Nuclear
- COVID-19 Themed Phishes
- Healthcare Targeting
- Twitter Bitcoin Attack
- GoDaddy Employee Hacks
- Trickbot Takedown
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.
Join us THIS WEEK, Thursday, January 7 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we’ve added to make managing your compliance projects even easier!
- NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
- Vet, manage and monitor your third-party vendors' security risk requirements.
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
- Quick implementation with pre-built requirements templates for the most widely used regulations.
- Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Save My Spot!
Researchers at Anomali have discovered eighteen scam websites offering pets for sale. Most of the websites purport to be selling dogs, although some offer cats and birds as well. The sites are all operated by the same group of scammers that use similar social engineering tactics to lure people in.
“The websites all share similar and sometimes identical text in their reviews/testimonials pages,” the researchers write. “There are also numerous typos in the testimonials with one post discussing how a German Shepherd had ‘hatched’ and was available, which is a clear copy-and-paste error from the actors’ bird fraud websites.”
While the scammers’ writing skills won’t win any awards, the photos of puppies may be enough to get people to lower their defenses. If a user clicks the “Buy me!” button, they’ll be taken to a contact form where they can get in touch with the scammers.
The researchers explain that the scammers are exploiting the holiday season as well as the increased demand for pets amid the pandemic.
“The COVID-19 pandemic has increased pet purchases as stay-at-home policies and remote work makes people seek companionship from their animal friends, a condition that may amplify the bad actors’ ability to run a more successful scam,” the researchers write.
“Furthermore, these scams focus on purebred dogs, which again are increasingly difficult to find.” Anomali offers the following tips for users to avoid falling for scams:
- “Be extremely cautious if the price is too good to be true.
- “Be extremely cautious if the site does not provide you with the owner’s names, address, and social pages.
- “Pay attention to elaborate testimonials that are too good to be true. They are often copied too, so you may google a part of it to see if it is unique.
- “Pay attention to typos and phrases like “Labrador baby had hatched,” scammers often sloppy in their templates and have bad English.
- “If they give you a phone number, try Googling it. Often the fraudsters use the same phone number for different schemes, and it might be already listed on some scam lists.
- “Be extremely careful if you are advised to pay for your future pet with Bitcoins or gift cards, which is even more suspicious.”
Cybercriminals have added a devious weapon to their attack arsenals - malicious browser notifications. And the worst part is they’re not blocked by any current cyber defense. These innocuous looking pop ups can wreak havoc on your network while remaining completely undetected.
They look more realistic than traditional phishing methods and are designed to trick your unsuspecting users. This is just the latest in a list of sneaky browser attacks the bad guys use to infiltrate your network.
Join Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist to find out what you need to know now about malicious browser attacks and how to stop them.
Attend this session to learn:
- How legitimate websites are targeted to deliver these stealthy phishing attacks
- Why browser notification phishing attacks bypass your cyber defenses
- Other sneaky browser attacks the bad guys use to infiltrate your network
- How to shore up your defenses and to protect against them all
- Earn CPE credit for attending!
Save My Spot!
Let's stay safe out there:
Founder and CEO
PS: I'm honoring the tradition of my same New Year's Wish as a newsletter editor since 1996: "A world without war, crime and insanity, where honest people can flourish, prosper and reach greater heights".
- Wade Boggs, Athlete (born 1959)
"The day science begins to study non-physical phenomena, it will make more progress in one decade than in all the previous centuries of its existence."
- Nikola Tesla, Inventor (1856 - 1943)
"Do not dwell in the past, do not dream of the future, concentrate the mind on the present moment."
Thanks for reading CyberheistNews
A new report from Barracuda Networks found that business email compromise (BEC) attacks have nearly doubled over the past year. These attacks made up 12% of all spear phishing attacks in 2020, compared to 7% in 2019. While these might seem like low numbers, it’s worth keeping in mind that BEC attacks are far more devastating and require much more effort than normal phishing attacks.
Attackers can spend months performing reconnaissance and setting up infrastructure before executing the attack, and successful BEC scams often result in multimillion-dollar losses for the victims.
The researchers also found that 87% of spear phishing attacks took place during the week, while employees are at work. The spear phishing attacks that occurred on weekends often took advantage of the fact that employees were distracted and possibly isolated from their work environments.
Below are some more of Barracuda’s findings:
- “72% of COVID-19-related attacks are scamming. In comparison, 36% of overall attacks are scamming. Attackers prefer to use COVID-19 in their less targeted scamming attacks that focus on fake cures and donations.
- “13% of all spear-phishing attacks come from internally compromised accounts, so organizations need to invest in protecting their internal email traffic as much as they do in protecting from external senders.
- “71% of spear-phishing attacks include malicious URLs, but only 30% of BEC attacks included a link. Hackers using BEC want to establish trust with their victim and expect a reply to their email, and the lack of a URL makes it harder to detect the attack.”
“Cybercriminals adapt very quickly when they find a new tactic or current event that they can exploit, as their response to the COVID-19 pandemic proved only too well," MacLennan said. "Staying aware of the way spear-phishing tactics are evolving will help organizations take the proper precautions to defend against these highly targeted attacks and avoid falling victim to scammers' latest tricks.”
New-school security awareness training gives your organization an essential layer of defense by teaching your employees to recognize phishing attacks.
Barracuda has the story:
People need to be on the lookout for phishing attacks sent from legitimate but compromised social media accounts, according to Paul Ducklin at Naked Security.
Ducklin describes a scam sent in by a reader who received an unexpected message from one of their Facebook friends. The message said, “Hi [name]. Hope you’re all well. Do you use online banking? I need help paying a bill.” The recipient recognized that it was a scam, but continued the conversation to find out what the scammer would say.
The scammer went on to explain that they had locked themselves out of their banking account until midnight and needed to borrow £290 to pay a bill. The recipient asked for more details, and the scammer said they had taken out a loan from a real banking startup based in the UK.
“The situation here is plausible – anyone who has ever been forced to take out a short-term ‘payday loan’ will know that fees mount up quickly for missed payments – and many of us might decide that helping out a friend or family member is something we ought to do,” Ducklin explains.
Ducklin stresses that people need to be particularly vigilant for phishing attacks that come from their friends’ compromised accounts:
- “Always check your facts before you help friends in trouble. But take care how you get hold of a friend you’re worried about – never reply directly to an online account that could have been hacked. Find another way to contact your friend, based on information that you already have in your possession.
- “Let your friends know if you think they’ve been hacked. But never reply using the account that’s been hacked or else you are just tipping off the scammers. Find a different way to get hold of them, such as a phone call, where you’ll have a way to satisfy yourself you really are talking to them.
- “Use a password manager and 2FA to make it harder for the scammers. A password manager stops you putting real passwords into fake sites, which helps prevent you getting phished. And using 2FA means that your password alone is not enough for scammers to log in to your account.
- “Report scams if you can. It might not feel as though you are doing much to help, but if many people provide some evidence, there is a least a chance of doing something about it. On the other hand, if no one says anything, then nothing will or can be done.”
Naked Security has the story:
It's fantastic to receive emails like this one:
"I just got off the phone with our contact at the State Supreme Court (who I've been working with to help them get PhishER) and he let me know that just yesterday they experienced a huge and fairly sophisticated phishing attack that roughly 120 people got and almost all of them reported it to him immediately.
He said that there is no doubt in his mind that without KnowBe4, a good chunk of them would have fallen for it, but due to having KnowBe4, it quite literally saved the day.
He wanted me to relay the message to the top how amazing and essential KnowBe4 is so I thought I'd drop you this quick note."
And like this! "Hi Stu, I just wanted to drop you a little note to let you know how happy we are with the Knowbe4 security platform! I can not say enough about Michael – he has been great to work with. He has been a font of knowledge, always quick to respond to any question and extremely helpful. He has made the process of switching over to Knowbe4 effortless! Thank you."
- K.P., Training Coordinator
- The Washington Post: Microsoft says Russians hacked its network, viewing source code:
- 40% of small UK and US business employees worried they’ll be blamed for data breaches at work:
- See this new 44MB NIST publication? 1800-26 'Detecting and Responding to Ransomware:
- Health to be on UK's cyber-security's front line in 2021:
- Phishers Spoof New York Department of Labor With COVID Scam:
- Yours Truly in SC Mag: "5 reasons why scams survive, thrive, and succeed":
- Continuous Eruption: Further Analysis of the SolarWinds Supply Chain Incident:
- SolarWinds Orion Security Breach: Cyberattack Timeline and Hacking Incident Details:
- Ransomware Is Headed Down a Dire Path in 2021:
- BleepingComputer's most popular tech stories of 2020. Some are quite surprising:
- Virtual Vaca To Florida Keys. A little long but heaven to millions worldwide in the bitter cold of winter:
- SUPER FAVE! Do You Love Me? BOSTON DYNAMICS robots dance:
- Need some space? Your Virtual Vaca to Italy's majestic mountains by 5K UHD Drone:
- Veso Ovcharov shows paraglider L33T skills - filmed by a fabulous drone pilot in Norway:
- Freestyle Hang Gliding 150km/hr Water Touch:
- Paraglider Hasan Kaval takes to the skies over the Turkish Rivera in a bed - taking a nap and waking up just in time for a perfect landing:
- Why Solid-state Batteries Are The Future:
- That Time A Kamaz Truck Did The Unimaginable:
- GoPro Fusion: Bobsled Run in Full 360 VR:
- Max Stöckl Sets WORLD RECORD Fastest MTB Downhill Speed...167KPH!:
- Top 21 Projects Completing in 2021:
- SC Skydiving 2nd Annual BOOGIE. Just sheer FUN:
- GoPro: FPV Around the World in 4K
- GoPro: Experimental Rockets Going To 30,000 Feet
- Drive around cities while listening to their local radios. This is legit!
- You Won't Believe What This 11-Year-Old Can Do On Skis at Jackson Hole:
- For Da Kids #1: Man coaxes nest of 6 cute baby bunnies out from his garden:
- For Da Kids #2: World's Best Skateboarding Cat! Go Didga Go!':
- For Da Kids #3: Parrots incredibly talk to one other like humans: