CyberheistNews Vol 11 #04
After 10 years of continued expansion in the security awareness space and providing our platform to tens of thousands of customers, we have observed a certain progress of organizational security awareness over time.
The speed of this progress is different by org size, geolocation, and industry, but we see this same pattern return over and over. In certain cases some steps are omitted. In other cases a few steps are taken at the same time. Ultimately however, most orgs see the same ultimate ideal scenario. Let's step through these 10 phases and you can determine where you are in your own organization in this process.
- 1) Increased Technical Awareness for InfoSec and IT Pros
- 2) Awareness Content Delivery for End-Users
- 3) Platform Automation Enables Compliance Requirements
- 4) Continuous Testing
- 5) Security Stack Integrations
- 6) Security Orchestration
- 7) Advanced User Behavior Management
- 8) Adaptive Learner Experience
- 9) Active User Participation in Security Posture
- 10) Human Endpoint as Strong Last Line of Defense
Blog Post With Slide for Your Presentations:
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, February 3 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at new features and see how easy it is to train and phish your users:
- NEW! AI Recommended training suggestions based on your users’ phishing security test results.
- NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
- NEW! 2021 Training Modules now available in the ModStore.
- Did You Know? You can upload your own SCORM training modules into your account for home workers.
- Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Date/Time: Wednesday, February 3 @ 2:00 PM (ET)
Save My Spot!
This breakdown of the latest attack from the Charming Kitten cybercriminal gang shows just how much thought goes into obfuscating their tactics and evading detection.
I’ve covered stories in the past where phishing attacks utilized well-known domains to keep from being detected, such as SharePoint Online, where the initial target site is credible enough to keep some security solutions from seeing the link as being malicious.
In the case of a recent attack by Cybercriminal group Charming Kitten (also known as APT35), the attack uses some pretty sophisticated tactics to avoid detection:
- The initial link sent in text or email is a google(.)com link that points to a script.google(.)com address with some specific parameters including an identifier so the bad guys know it’s one of their redirects
- The script.google(.)com matches the included identifier and redirects the visitor to a predefined unique URL for that specific victim
- The third URL used is a redirection short URL. The really brilliant part is that initially, when used in conjunction with email-based phishing, the redirect points to a legitimate and benign webpage so that email scanners that traverse redirection will see it as legitimate. Once the email hits the Inbox, the redirect is changed to the malicious address
- Once the victim hits the final malicious address, a spoofed logon page is presented to attempt to steal the victim’s google credentials
- The user-specific malicious redirect is reconfigured back to a legitimate domain to hide the tracks of Charming Kitten
Blog post with links:
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.
Join us Wednesday, February 3 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we’ve added to make managing your compliance projects even easier!
- NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
- Vet, manage and monitor your third-party vendors' security risk requirements.
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
- Quick implementation with pre-built requirements templates for the most widely used regulations.
- Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Save My Spot!
KnowBe4's latest quarterly report on top-clicked phishing email subjects is here. These are broken down into three different categories: social media related subjects, general subjects, and 'in the wild' attacks .
Hackers Continue to Prey on a Remote Workforce
Phishing email attacks leveraging COVID-19 were on every quarterly report in 2020, but there were not as many at the top of the list in Q4 as in previous quarters. However, we still see a lot of subjects related to working remotely as well as security-related notifications.
It’s no surprise that phishing attacks related to working from home are increasing given that many countries around the world have seen their employees working from home offices for nearly a year now.
Just because employees may be more used to their home office environment doesn’t mean that they can let their guard down. The bad guys deploy manipulative attacks intended to strike certain emotions to cause end users to skip critical thinking and go straight for that damaging click.
Don't Dismiss Social Media as a Phishing Concern
We have seen a pattern of fake LinkedIn messages topping this list for the past three years. There is likely a perception that these emails are legitimate because they appear to be coming from a professional network. It's a significant problem because many LinkedIn users have their accounts tied to their corporate email addresses. Top-clicked subjects in this category reveal password resets, tagging of photos and new messages.
Share the Infographic with Top Messages in Each Category With Your Users:
Cybercriminals are always looking for easy ways to hack into your network and steal your users’ credentials.
Verizon’s 2020 Data Breach Investigations Report shows that attackers are increasingly successful using a combo of phishing and malware to steal user credentials. In fact, Password Dumpers takes the top malware spot making it easy for the bad guys to find and “dump” any passwords your users save in web browsers.
Find out now if browser-saved passwords are putting your organization at risk.
KnowBe4’s Browser Password Inspector (BPI) is a complimentary IT security tool that allows you to analyze your organization’s risk associated with weak, reused, and old passwords your users save in Chrome, Firefox, and Edge web browsers.
BPI checks the passwords found in the browser against active user accounts in your Active Directory. It also uses publicly available password databases to identify weak password threats and reports on affected accounts so you can take action immediately.
With Browser Password Inspector you can:
- Search and identify any of your users that have browser-saved passwords across multiple machines and whether the same passwords are being used
- Quickly isolate password security vulnerabilities in the browser and easily identify weak or high-risk passwords being used to access your organization’s key business systems
- Better manage and strengthen your organization's password hygiene policies and security awareness training efforts
Find Out Now:
Let's stay safe out there.
Founder and CEO
PS: KnowBe4 Unveils Official Trailer for ‘The Inside Man’ Season 3:
PPS: Every year, Glassdoor recognizes the top 100 employers dedicated to cultivating a best-in-class company culture. This year’s winners all have one thing in common: their employees say they feel supported and empowered to do their best work, even amid unprecedented challenges. Check #16:
- Theodore T. Munger, Author (1830 - 1910)
"Yesterday's the past, tomorrow's the future, but today is a gift.
That's why it's called the present."
- Bil Keane, Cartoonist (1922 - 2011)
Thanks for reading CyberheistNews
More than half of organizations surveyed had a remote device compromised by malware last year, according to Wandera’s Cloud Security Report for 2021.
Wandera’s researchers found that “52% of organizations experienced a malware incident on a remote device in 2020, up from 37% in 2019.” Meanwhile, 37% of these compromised devices maintained access to corporate emails, while 11% had access to the organization’s cloud storage.
Many of these incidents occurred because users either fell for a social engineering attack or exercised poor security habits, such as downloading suspicious apps.
“Phishing remains the number one threat impacting users on portable devices,” the researchers say. “Phishing attacks typically focus on topics, brands or themes that have a high chance of luring victims. For example, each year around tax season, there is an uptick in phishing attacks posing as the IRS, the HMRC (UK), and the ATO (Australia).
Likewise, during the first half of this year we identified an uptick in traffic going to COVID-19-related phishing sites, and even the emergence of a fake Clorox e-commerce site.”
Interestingly, the researchers found that phishing attempts were slightly more common on the weekends. “While looking for other phishing trends that emerged in 2020, we noticed phishing attacks are reaching users the most on Saturdays,” the report states. “At their peak during the weekend, phishing attacks are 6% more frequent than during the weekday peak.
This reinforces the idea that while employees are not in ‘work mode,’ they are more susceptible to phishing attacks on corporate devices due to being in a relaxed state of mind.”
Wandera also found that 80% of employees accessed public Wi-Fi for work-related activities, and 3% of mobile devices used for work had their lockscreens disabled. It only takes one employee to fall for a phishing email for an attacker to gain a foothold within your organization’s network. New-school security awareness training can teach your employees to recognize social engineering attacks and follow security best practices. (And follow them especially on the weekends.)
Wandera has the story:
The US FBI has issued a Private Industry Notification warning companies to be on the lookout for voice phishing attacks, also known as “vishing.” The Bureau says criminals have used these tactics to successfully infiltrate large companies in the US and around the world.
“The cyber criminals vished these employees through the use of VoIP platforms,” the alert says. “Vishing attacks are voice phishing, which occurs during a phone call to users of VoIP platforms. During the phone calls, employees were tricked into logging into a phishing webpage in order to capture the employee’s username and password.
After gaining access to the network, many cyber criminals found they had greater network access, including the ability to escalate privileges of the compromised employees ’ accounts, thus allowing them to gain further access into the network often causing significant financial damage.”
The Bureau offers the following advice for organizations:
- “Implement multi-factor authentication (MFA) for accessing employees’ accounts in order to minimize the chances of an initial compromise.
- “When new employees are hired, network access should be granted on a least privilege scale. Periodic review of this network access for all employees can significantly reduce the risk of compromise of vulnerable and/or weak spots within the network.
- “Actively scanning and monitoring for unauthorized access or modifications can help detect a possible compromise in order to prevent or minimize the loss of data.
- “Network segmentation should be implemented to break up one large network into multiple smaller networks which allows administrators to control the flow of network traffic.
- “Administrators should be issued two accounts: one account with admin privileges to make system changes and the other account used for email, deploying updates, and generating reports.”
The FBI has the story:
Researchers at ESET outline some security best practices to avoid falling for phishing emails. In an article for TechZone360, the researchers explain how to identify suspicious links.
“Before clicking on an embedded link in the body of an email, inspect it first!” ESET says. “Hackers often conceal malicious links within emails, and mix them with genuine links to trick you. If the hyperlinked text isn’t identical to the URL that pops up when you hover over the link, that’s a sign of a malicious link.
It might take you to a site you don’t want to visit, or even install a virus on your computer. To prevent this from happening, don’t trust any unmatching URLs or links that seem irrelevant to the content in the rest of the email.”
Additionally, attackers can easily create deceptive email addresses, in some cases after compromising a legitimate server. “Cybercriminals often create new email addresses for phishing scams,” ESET says. “Hover over the sender’s email address and make sure it matches other emails you’ve received from that person or company and doesn’t contain any additional numbers or letters.
For example, johnsmith@telstra[.]com is more legitimate than johnsmith24@telstra[.]com or johnsmith@telstra24[.]com. While some companies do use varied domains or third-party providers to send emails, that’s the exception — not the rule. So, be wary of any emails with unusual addresses.”
Finally, while some phishing emails will have perfect spelling and grammar, typos and awkward writing are major red flags.
“Poorly written or grammatically incorrect emails are a dead giveaway of a scam,” ESET writes. “If you spot typos or mistakes in the subject line, don’t open the email because it could be a phishing scam. And if you read an email and it’s riddled with mistakes or odd turns of phrase, that points to a potential scam. Emails from legitimate companies are often crafted by professional writers and edited for spelling and syntax.
Interestingly, many cybersecurity professionals believe that hackers write ‘bad’ emails on purpose to hook the most gullible targets.”
Phishing emails can target anyone, and attackers only need to fool one employee to gain a foothold within your network. New-school security awareness training with simulated phishing tests can help your employees recognize these attacks.
TechZone has the story:
"I’ve leveraged your product at a prior organization, as well as for the last year in my new role with here. I’ve been a large proponent of the teams capabilities and the services your organization provides. Recently, I’ve been completely impressed with your PhishER platform and PhishRIP capabilities. They are quite honestly the simplest and most streamlined security tools I’ve used over my career.
All that to be said, while I’ve been a supporter of your brand and the value you provide to the organizations I’ve been with for the last several years – it is 100% the people that you’ve hired for support and customer engagement that has kept your organization as top tier when it comes to security awareness.
Over the last year, I’ve had the privilege of working with GregN as we implemented KnowBe4 into an organization with limited to no security awareness previously.
Greg has done an excellent job of coming along side me and working within me to tailor the right security awareness approach to the organization. He hasn’t just sent me instructions regarding how to implement any of the features / solutions, but has joined with me on the support calls to actively build out a sustainable and automated security awareness approach to the organization with me. All the best in your continued success! [edited for brevity]
- C.J., IT Manager, Security and Operations
"Mr. Sjouwerman, I want to commend KristinA for the excellent work she does. In my dealings with her, she has been extremely efficient and dependable. In addition, she is willing to go the extra mile. One example (and I could give you more): I am in Oregon and she is in Florida. I contacted her after 6:00pm Eastern time, and she got back to me that night. Kristin is a real credit to your company."
- N.D., Systems Administrator
"Hi Stu, just wanted to pass along that it was great to work with LoganG on our recent renewal of our KnowBe4 subscription. She was very responsive and effectively addressed my concerns about the renewal so we could move forward w/ executing that order."
- A.J., Sr. Director, Information Technology
- Organizations Should Establish ‘Blame-Free Employee Reporting’ of Suspicious Activity, CISA Says:
- FireEye releases tool for auditing networks for techniques used by SolarWinds hackers:
- Malwarebytes said it was hacked by the same group who breached SolarWinds:
- Q4 2020 KnowBe4 Finds Work From Home-Related Phishing Email Attacks on the Rise:
- Microsoft shares how SolarWinds hackers evaded detection:
- Online scams: How to give scammers a taste of their own medicine:
- Hacking Back Unpacked: An Eye For An Eye? Not So Fast:
- SEPA cyber-attack 'likely to be work of global organized crime groups':
- Charming Kitten’s Christmas Gift:
- Nowhere To Hide: Controllers have “Constructive Awareness” Of Processor Data Breaches:
- SUPER FAVE! 360 VR Kitzbuhel Downhill Ski Run at Full Speed. Whoa Nellie!:
- Your virtual Vaca to the amazing Iguazu Falls where Argentina, Paraguay and Brazil meet:
- GoPro: Breaking Records in a 800hp Porsche Turbo Cup in 4K 5:22:
- Penn & Teller: Fool Us. The New Rematch Eric Chien:
- Invisi-Ball Magic by Teller. Absolutely amazing performance by a true master magician:
- Penn & Teller FOOLED by Awesome Skateboard Trick!:
- Hang Glider Touches Down on Sail Plane:
- How NIO Plans To Beat Tesla In China:
- Amazing Aerobatic Glider Tricks w/ Luca Bertossio:
- Hong Kong wheelchair climber Lai Chi-wai attempts to scale 320-meter skyscraper:
- Ferrari F1 Pit Stop Perfection:
- 1980’s Cyber Security — “Floppy Lock” Picked:
- For Da Kids #1 Baby Monkey Riding On A Pig's Back:
- For Da Kids #2 Cute animated short Piper: