CyberheistNews Vol 11 #15
Phishing attacks using PDF files have spiked over the past year, according to researchers at Palo Alto Networks’ Unit 42.
“From 2019-20, we noticed a dramatic 1,160% increase in malicious PDF files – from 411,800 malicious files to 5,224,056,” the researchers write. “PDF files are an enticing phishing vector as they are cross-platform and allow attackers to engage with users, making their schemes more believable as opposed to a text-based email with just a plain link.”
The most common form of PDF phishing lures used an image of a fake CAPTCHA to trick victims into clicking the “Continue” button, which led to a malicious site. Another variant used an image that purported to be a coupon, and told victims to click the image in order to get 50% off on a product.
A third type of PDF phishing attack used images that appeared to be paused videos, but led to a phishing site when users clicked on them.
“These phishing files do not necessarily carry a specific message, as they are mostly static images with a picture of a play button ingrained in them,” Unit 42 says. “Although we observed several categories of images, a significant portion of them either used nudity or followed specific monetary themes such as Bitcoin, stock charts and the like to lure users into clicking the play button.”
The researchers conclude that users need to pause and think when they receive a suspicious file.
“Data from recent years demonstrates that the amount of phishing attacks continues to increase and social engineering is the main vector for attackers to take advantage of users,” the researchers write. “Prior research has shown that large-scale phishing can have a click-through rate of up to 8%.
Thus, it is important to verify and double check the files you receive unexpectedly, even if they are from an entity that you know and trust. For example, why was your account locked out of nowhere, or why did someone share a file with you when you least expected it?”
New-school security awareness training can give your employees a healthy sense of skepticism so they can avoid falling for these attacks.
Blog post with links:
Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!
PhishRIP as part of the PhishER platform is a new email quarantine feature that integrates with Microsoft 365 and G Suite to help you remove, inoculate, and protect your organization against email threats so you can shut down active phishing attacks fast.
Since user-reported messages require some level of analysis to prioritize, you need a simple and effective way to not only respond to and mitigate these reported messages, but also find and remove those suspicious messages still sitting in your users’ mailboxes.
Now you can with PhishER, which is the key ingredient of an essential security workstream. PhishER allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!
See how you can best manage your user-reported messages.
Join us TOMORROW, Wednesday, April 14 @ 2:00 PM (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
- NEW! Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
- NEW! Use Security Roles to Create a Multi-Tiered Incident Response System in PhishER
- Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
- Automate message prioritization by rules you set into one of three categories: Clean, Spam, or Threat
- Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Date/Time: TOMORROW, Wednesday, April 14 @ 2:00 PM (ET)
Save My Spot!
The 360 security blog just came up with an eye opener. Recently, 360 Security Center’s threat monitoring platform has detected a new email phishing attack. This attack uses a secret-stealing Trojan called Poulight. The Poulight Trojan has been put into use since last year and has complete and powerful functions. This attack proved that it has begun to spread.
Attack process analysis
The attacker will first drop a phishing file using RLO (Right-to-Left Override) technology. Using RLO technology, the phishing file originally named “ReadMe_txt.lnk.lnk” will be displayed as “ReadMe_knl.txt” on the user’s computer.
At the same time, if the attacker sets the icon of the lnk file as a notepad icon, it is easy for the user to mistake it for a harmless txt file.
In this way, the user originally thought to open a txt file, but actually executed the code prepared by the attacker. The system will execute the PowerShell command according to the content of the “target” customized by the attacker, download the malicious program, set it as a hidden attribute, and run it. After analysis, the downloaded malicious program was compiled with DotNet and the internal name is Poullight[dot]exe.
Blog post with links and full attack plus code analysis:
Email is still a top attack vector the bad guys use. A whopping 88% of data breaches are caused by human error, but email hacking is much more than phishing and launching malware.
In this on-demand webinar Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist and security expert with over 30-years of experience, explores 10 ways hackers use social engineering to trick your users into revealing sensitive data or enabling malicious code to run. Plus, he shares a hacking demo by KnowBe4's Chief Hacking Officer Kevin Mitnick.
Roger will teach you:
- How silent malware launches, remote password hash capture, and how rogue rules work
- Why rogue documents, establishing fake relationships and getting you to compromise your ethics are so effective
- Details behind clickjacking and web beacons
- Actionable steps on how to defend against them all
You Can Watch This Right Now!
Over the last few years I have been working on something near and dear to my heart; a true professional security awareness credential for IT pros. I'm thrilled to see that this idea has now come to fruition. This was very much needed and it's finally here.
The short history is that I called the usual IT credentialing orgs and asked them to do this. Unfortunately for various reasons they were not able to get this on their roadmaps. So I decided to help an existing high-end pro credentialing org to create one from scratch and sponsor the development.
They actually created a new brand and logo for this called H LAYER Credentialing, (H for human). This company is behind many of the very high-end credentials you may already have. A fantastic team from KnowBe4 has been working hard behind the scenes with H Layer for the last 6 months to get this project off the ground. Thank you so much, you know who you are, awesome job.
NOTE, this is not a KnowBe4 product, we do not sell it, we do not make money off this, I just funded the development because I felt it was sorely needed. Here is a bit of the official announcement:
"This is a very exciting development for the Cyber Security industry as a whole and particularly those of us that believe that security awareness training is a critical step in a complete security strategy.
H Layer Credentialing is soon offering a professional certification that recognizes the importance of and expertise required in managing a security awareness culture program. I believe their investment in this certification program is a real indication of the maturing and growing need for Security Awareness Training.
The certification will be available late Spring of 2021. They will be accepting registrations soon, but for now you can sign up to learn more here":
With email still a top attack vector, do you know if hackers can get through your mail filters? Spoofed domains, malicious attachments and executables to name a few...
Email filters have an average 7-10% failure rate where enterprise email security systems missed spam, phishing and malware attachments.
KnowBe4’s Mailserver Security Assessment (MSA) is a complimentary tool that tests your mailserver configuration by sending 40 different types of email message tests that check the effectiveness of your mail filtering rules.
Here's how it works:
- 100% non-malicious packages sent
- Select from 40 automated email message types to test against
- Saves you time! No more manual testing of individual email messages with MSA's automated send, test, and result status
- Validate that your current filtering rules work as expected
- Results in an hour or less!
Let's stay safe out there.
Founder and CEO
PS: New SACP® Credential! H Layer Announces Security Awareness and Culture Professional Certification:
Microsoft releases a cyberattack simulator - Shall we play a game?:
- Kurt Cobain - Musician (1967 - 1994)
"Educating the mind without educating the heart is no education at all."
Thanks for reading CyberheistNews
Researchers at Avanan have observed a phishing campaign that’s impersonating the WeTransfer file-sharing app in an attempt to steal users’ credentials. The email’s subject line states, “You received some important files via WeTransfer!” The body of the email informs recipients that they’ve received three files through the service, with a link to “Get your files.” The text of the email was worded awkwardly, however, which could tip some users off.
Full blog post here:
Users in the UK should be on the lookout for census-themed phishing attacks, according to Paul Ducklin at Naked Security. Participating in the census is mandatory in the UK, and people who didn’t complete the census by the March 21st deadline will begin receiving warning letters informing them that they could be fined £1000 if they fail to send in their form.
Cybercriminals are taking advantage of this by sending text messages telling recipients that their census application is missing information. This ensures that even people who have completed the census will want to click the link.
The link leads to a convincingly spoofed phishing site designed to steal their personal information. Ducklin offers the following recommendations to help people spot phishing scams:
- “Check the domain name on websites carefully. UK government sites should end gov[.]uk. It’s hard for crooks to get control of one of those – they can’t just be bought online like .com domains can. Also, watch out for domain names where the left hand end looks legitimate, but the right-hand end says that it belongs to someone else, as in a name like census[.]gov[.]uk[.]example[.]com. The person who owns example[.]com also owns and can use all domain names that end with that name, not just plain example[.]com itself.
- “Don’t use links in text messages or emails. The Census 2021 website is well-known and easy to find through reliable sources, including printed on the Census snail-mail you ought to have received. If you find your own way to a website where there is supposedly an “issue”, you won’t get suckered by fake links – whether that’s a “problem” with your bank, a “missed” home delivery or an online “order” you never actually placed.
- “Be extra cautious of links in text messages (SMSes). Text messages are short, simple and often written in abbreviated English, so the crooks are much less likely to make spelling and grammatical errors that might otherwise tip you off.”
Naked Security has the story:
People need to be wary of travel-related phishing as the pandemic draws to a close, according to Fleming Shi, Chief Technology Officer at Barracuda Networks. On the CyberWire’s Hacking Humans podcast, Shi explained that phishing campaigns take advantage of current trends.
Currently, many phishing attacks are themed around the demand for vaccines. As pandemic-related restrictions begin to lift, there will presumably be a major demand for travel as people are finally able to take vacations, and attackers will jump on this opportunity.
“The next phase for the targets will be people who are getting back out there, really kind of enjoy the world, right?” Shi said. “I mean, if you think about traveling through the holidays, I was pretty surprised how many people actually got on the plane and, you know, really tried to see their family, right?
I think cabin fever – people are getting really stuck for a long time, and so there will be a rise in bookings for hotels, mainly because people are getting ready to plan for their vacation. They really need it.”
Shi said there are some security best practices that people can follow to avoid falling for these attacks. "There's a few things you should be considering,” he said. “First of all, this is for the travel preparation stage, right? Once you get on the road, that's another set of things you need to worry about.
But before you get on the road, I would say be very cognizant about clicking on links that offer really great deals that may not look real. Secondly, when you get to the site, if you don't have a password manager, I'll recommend a really strong password.
So, password managers provide system-generated passwords, which is much harder to guess, very random. You will still have the convenience of actually getting into the site. But if the reservation site has, like, multifactor or two-factor authentication, you want to utilize those features because passwords still can be stolen, even system-generated.”
New-school security awareness training can enable your employees to be on the lookout for phishing attacks.
The CyberWire has the story:
"Thanks for reaching out! I have been pleasantly surprised at how easy the set up was, and how smoothly it has gone. We are very happy that we decided to use KnowBe4 for our security training and testing. Thank you!"
- C.A., Chief Financial Officergy
"Hi Stu, Thank you for your message. I first checked with our customer success manager AlansonS to verify if you really send this kind of mails. He confirmed, so now I can reply safely. You never know...
For now we are really happy with your platform, we use it for phishing simulations and we did our first big training campaign last month. Really looking forward to the next one and using the smart groups!
We did have some issues getting everything up and running but Alanson and the support team have been of great help and now we have everything the way we want it. Thank you for following up!"
- K.A., Cyber Security Officert
We are excited to announce that the KnowBe4 Industry Benchmarking feature has been expanded to now include industry benchmark comparison data for Security Awareness Proficiency Assessment (SAPA) scores. SAPA is grounded in the latest assessment science research and seeks to assess your users’ susceptibility to cyber attacks, and more specifically, their susceptibility in relation to your organization’s specific cyber security needs.
The SAPA Benchmarks lets you compare your organization’s security awareness proficiency assessment scores with other companies in your industry. When you administer the assessment to your users, get a firsthand look at how your organization stacks up across the seven security knowledge areas from your baseline assessment as well as monitor your organization’s improvement over time.
Using the Industry Benchmarking feature, you can continue to compare your organization’s Phish-Prone™ percentage with other companies in your industry as well. You’ll have real-time stats that help you keep a pulse on how your security awareness program and users stack up against other companies in your industry. Use these benchmarks to help demonstrate your organization’s continuous progress and success towards strengthening your last line of defense. Great intel to share with your management team!
Within the KnowBe4 console, you can see your organization’s Phish-prone percentages and SAPA scores compared to the averages in your particular industry or against the aggregate of all industries on the Dashboard of the KnowBe4 console. For current customers, look for the new SAPA benchmark tile on your Dashboard. The new SAPA comparison data is available to customers across all training subscription levels.
See where you stack up! With regular phishing security tests, awareness training, and knowledge proficiency assessments, you’ll see how your Human Firewall improves over time helping to reduce risk and improve your IT security defense.
Full blog post here:
- New SACP® Credential! H Layer Announces Security Awareness and Culture Professional Certification:
- Top cybercrime gangs use targeted fake job offers to deploy stealthy backdoor:
- KnowBe4 Research Launches 2021 Security Culture Report:
- Contact books of Australian diplomats hacked in major ‘phishing’ scam:
- Protecting employees from job offer scams can lead to awkward but important conversations:
- 17 Tech Pros Share Their Favorite Industry-Focused Podcasts. I'm one of 'em:
- Tech support scammers lure victims with fake antivirus billing emails:
- Maze/Egregor ransomware cartel estimated to have made 75 million dollars:
- When a Legitimate Pension Fund Uses Fraudulent Phishing Tactics:
- Hackers Are Exploiting Discord and Slack Links to Serve Up Malware:
- This week's Super Fave Virtual Vaca in Switzerland 8K HDR 60p (Jungfrau):
- Jandro Third Time Fooler with the BIGGEST TRICK ever in Penn & Teller Fool Us History:
- Cliff Slip and Slide of 50 Feet. FUN!:
- Marvel Studios’ Black Widow New Trailer:
- The Unstoppable Growth of China's High-Speed Rail Network:
- Eat At This Restaurant While Fish Swim Around Your Feet...:
- The Rise of Brooklyn's First Supertall Skyscraper:
- Turning Port City Into A Snowmobile Thrill Ride with Levi LaVallee:
- The Hummer EV will use a revolutionary new battery system. Interesting technology!:
- For Da Kids #1 - This Is Why Dogs Are Simply The Most Amazing Creatures:
- For Da Kids #2 - Awesome mother bear struggles with her adorable cubs:
- For Da Kids #3 - Unbelievable performance by Tico the Amazon parrot singing perfectly in tune to Frank Maglio's guitar: