CyberheistNews Vol 11 #17
Everything from applications, social apps, OS vulnerabilities and even mobile device management acted as initial attack vectors troubling nearly every single organization globally.
Let’s just all say it together: mobile has become a big problem. Trying to put the same levels of security controls onto a device the organization doesn’t necessarily own, that has less customization than Windows OS, and runs completely remotely 24x7 is one tall order for IT organizations today.
But mobile is a profitable attack vector for the bad guys, making it important for organizations to pay attention and figure out how to mitigate the risk of attacks. And are there ever risks in mobile!
According to CheckPoint’s Mobile Security Report 2021, mobile is everyone’s problem. From vulnerabilities on the apps for Facebook, Instagram and WhatsApp, to infiltration into Google’s apps via the Google Play Core Library, to OS vulnerabilities (in both Android and iOS!).
It’s evident that there are plenty of reasons why the bad guys see mobile as a fantastic attack surface.
From the report:
- 97% of organizations faced mobile threats in 2020
- 46% had at least one employee download a malicious mobile application that threatened networks and data
- 75% of one company’s mobile devices were compromised via corporate-owned MDM
- Updating the mobile device OS and mobile applications
- Keep MDM solutions patched regularly
- Educate users with security awareness training to minimize the user’s interaction with malicious email and websites as a potential threat surface
- Mobile may very well be the new hot attack vector. Get ahead of it now while it’s new and not mainstream!
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, May 5 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at new features and see how easy it is to train and phish your users.
- NEW! AI Recommended training suggestions based on your users’ phishing security test results.
- NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
- NEW! Security Awareness Proficiency Assessment Benchmarks let you compare your organization’s proficiency scores with other companies in your industry.
- Did You Know? You can upload your own SCORM training modules into your account for home workers.
- Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Date/Time: TOMORROW, Wednesday, May 5 @ 2:00 PM (ET)
Save My Spot!
Security researchers uncover a marketing campaign that takes a page from the cybercriminal phishing handbook to “trick” pensioners to have an introductory call with their fund expert.
You would think that an established business would send out solicitation emails using their own business name, domain, etc. and be up front about who they are. Whether the recipient has done business with the sender or not, etc.
In this interesting use case of phishing tactics, PERA LLC, based in Nevada right off the bat takes on a familiar acronym. If your retirement is being managed by one of the various Public Employees Retirement Association companies, and even feels like a brand impersonation attack on the long-standing pension fund company, Colorado PERA.
Targeting the employees of U.S. municipalities, PERA LLC impersonated the municipality itself (e.g., placing the municipality name in the email subject), making the opportunity to speak with someone about their retirement feel like it’s company sanctioned.
PERA LLC also used over 20 different PERA-related domain names to obfuscate who was really sending the email. We’ve all seen items in the U.S. Mail attempting to appear “official” to obtain your business. But this is the first time I’ve heard about a company doing this using not just one, but many phishing tactics.
And while the end result here isn’t an infected environment or data being stolen, it’s important to teach users via security awareness training on how to spot suspicious emails (even like this one) and realize they’re not legitimate.
Blog post with example screen shot here:
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.
Join us TOMORROW, Wednesday, May 5 @ 1:00 PM (ET), for a 30-minute live product demo of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
- NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
- Vet, manage and monitor your third-party vendors' security risk requirements.
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
- Quick implementation with pre-built requirements templates for the most widely used regulations.
- Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Save My Spot!
By Roger Grimes. I am not sure what is going on these days, but for several weeks, I have received far more SMS-based phishing (i.e., smishing) attacks than usual.
Normally, I used to get one or two a month, but lately I have been getting at least one or two a day with no let up. My friends tell me the same.
Here are some examples:
I am not sure if this is a temporary trend or a new normal? I posted this information and question on LinkedIn and was surprised to see some notable industry figures discount my recounting of the attempts and seriousness.
I am not sure of all the motivations for discounting smishing attacks, but at least some of it seemed to be discounting them because they were more personal in nature, not as frequently occurring and did not directly target corporate organizations. Or perhaps it is because the typical smishing attempt is not as sophisticated as the typical email phish? So why worry?
But here is what I want you to know – Every organization and person needs to take smishing attempts very seriously.
For one, they are abundant, and work; sophisticated or not. A lot of people lose money. Here is an example from less than two weeks ago. In this case, two Indonesian men were arrested for successfully grifting over $60M using SMS-based phishing scams. It impacted over 30,000 U.S. citizens out of the over 200M citizens targeted. Two guys…200M malicious text messages…$60M in stolen money. And you know we only catch the stupid ones.
Phishing attacks have come a long way from the spray-and-pray emails of just a few decades ago. Now they’re more targeted, more cunning and more dangerous. And this enormous security gap leaves you open to business email compromise, session hijacking, ransomware and more.
The bad guys’ varied approach to phishing attacks requires a multi-layered response. Join Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist where he’ll share a comprehensive strategy for phishing mitigation and how securing your users can become your best, last line of defense.
In this webinar you’ll learn:
- How to develop a comprehensive defense-in-depth plan for phishing mitigation
- Ideas for security policies you can implement now
- Technical controls all organizations should consider
- Gotchas to watch out for with cybersecurity insurance
- Why it’s critical to develop your organization’s human firewall
Date/Time: Wednesday, May 12 @ 2:00 PM (ET)
Save My Spot!
Let's stay safe out there.
Founder and CEO
PS: NEW. Become a Certified Security Awareness and Culture Professional (SACP)™
The H Layer Credentialing's Security Awareness and Culture Professional (SACP) certification program registration is now open! You can apply for your certification. Don't wait! Apply today and become one of the first professionals to earn the SACP Certification.
Learn more at SACP Exam Information:
- Elon Musk, Entrepreneur (born 1971)
"Nothing great in the world has ever been accomplished without passion."
- Georg Wilhelm Friedrich Hegel, Philosopher (1770 - 1831)
Thanks for reading CyberheistNews
At least 10,000 UK citizens have been targeted by nation-state actors via fake LinkedIn accounts over the past five years, the BBC reports. Ken McCallum, Director-General of MI5, said these fake profiles are being used on “an industrial scale” to launch social engineering attacks.
“MI5 did not specifically name LinkedIn, but BBC News has learned the Microsoft-owned service is indeed the platform involved,” BBC says. “The 10,000-plus figure includes staff in virtually every government department as well as key industries, who might be offered speaking or business and travel opportunities that could lead to attempts to recruit them to provide confidential information.”
LinkedIn is particularly useful for these types of campaigns because many users regularly connect with people they don’t know.
The UK’s Chief Security Officer Dominic Fortescue stated, “Since the start of the pandemic, many of us have been working remotely and having to spend more time at home on our personal devices. As a result, staff have become more vulnerable to malicious approaches from hostile security services and criminal organisations on social media.”
The UK’s Centre for the Protection of National Infrastructure (CPNI) has launched an initiative dubbed “Think Before You Link” to raise awareness of social engineering on LinkedIn. LinkedIn itself said it welcomed the government’s campaign.
“We welcome the online safety efforts of the Centre for the Protection of National Infrastructure and its work to expand their Think Before You Link campaign in the United Kingdom,” LinkedIn said. “Teams at LinkedIn work to keep LinkedIn a safe place where real people can connect with professionals they know and trust. We actively seek out signs of state sponsored activity on the platform and quickly take action against bad actors in order to protect our members.”
The BBC has the story:
Scammers are impersonating philanthropist Mackenzie Scott, the billionaire ex-wife of Jeff Bezos, the New York Times reports. Scott prefers to give money directly and contacts charities and other organizations unexpectedly, which has the unintended side effect of making it easier for scammers to pose as her.
“Over the course of 2020, Ms. Scott announced gifts totaling nearly $6 billion,” the Times explains. “Her unconventional model of giving was widely praised for its speed and directness. But some of the seeming advantages — no large, established foundation, headquarters, public website, or indeed any way to reach her or her representatives — are exactly what made her ripe for impersonation by scammers.”
The Times cites the example of Danielle Churchill, an Australian woman who was trying to raise money for therapy fees for her son, who has autism. Churchill received an email that appeared to come from Mackenzie Scott offering $250,000.
“To receive the money, Ms. Churchill had to fill out a ‘membership form’ sent by an organization calling itself the MacKenzie Scott Foundation and set up an online account with Investors Bank and Trust Company,” the Times writes.
“She could see that the foundation had transferred $250,000 into the account in her name, but because she was in Australia, she was told that she had to apply for a tax number and pay some associated fees before she could get access to the money and begin spending it on speech and occupational therapy for Lachlan.”
Churchill assumed it was a scam at first, until she Googled it and found news articles detailing Scott’s unorthodox method of giving. She was convinced after contacting a phony Facebook page called “The Mackenzie Scott Foundation.” Churchill lost $7,900 as a result of the scam.
New-school security awareness training can give your employees a healthy sense of skepticism to help them recognize scams and other social engineering attacks.
The New York Times has the story:
The Darkside ransomware operators are now offering to tip off unscrupulous stock traders before they post the names of publicly traded victim companies, the Record reports. The criminals believe this will put more pressure on the victims to pay up.
Recorded Future’s Dmitry Smilyanets told the Record that this is the first time a ransomware crew has explicitly made this part of their strategy.
“While other ransomware families previously discussed how to leverage the effect of a publicly disclosed cyber-attack on the stock market, they have never made it their official attack vector,” Smilyanets said. “DarkSide becomes the first ransomware variant to make it formal.”
Allan Liska, also from Recorded Future, said that criminals are adapting to victims being less willing to pay ransom. A similar phenomenon occurred over the past two years when ransomware operators began stealing data and threatening to release it if the ransom wasn’t paid.
“We have anecdotal evidence that fewer people are paying ransom, which means ransomware actors have to find new ways to extort money from victims,” Liska said. “We saw that with threats of DDoS attacks last year but those didn’t really seem to work so they are looking for other ways.”
Liska is skeptical that this new technique will be effective, tweeting that “most companies don’t take a noticeable hit in their stock price after a ransomware attack - at least not long term.”
The Record also notes that “any large short bets are most likely to be picked up and investigated by the Securities and Exchange Commission or other regulatory bodies, and not many traders are likely to take up Darkside’s offer for such minimal gains and maximum regulatory risks.”
Cybercriminals are constantly changing their techniques to increase the success of their attacks. New-school security awareness training can give your employees an essential last layer of defense against ransomware attacks by teaching your employees how to recognize social engineering attacks.
The Record has the story:
I'm pleased to share the new Forrester Total Economic Impact™ (TEI) Study of KnowBe4. The study was commissioned by KnowBe4 to Forrester Consulting to examine the potential Return on Investment (ROI) organizations might realize by deploying the KnowBe4 Security Awareness & Simulated Phishing and PhishER platforms.
Forrester analysts interviewed a global KnowBe4 enterprise customer with 10,000 users to determine the financial and cultural results of deploying the KnowBe4 Security Awareness, Phish Alert Button, and PhishER platforms.
Here are a few highlights from the study:
- Forrester determined the TEI of KnowBe4 offers a three-year 276% ROI and payback in less than 3 months
- The study organization’s Phish-Prone™ percentage went from 19.2 percent before KnowBe4 training to 2.8 percent
- By implementing PhishER, the study organization’s IT team saved an estimated 500 hours per month by not having to manually review and address every reported phishing email
"Hi Stu, I just want to drop a quick note to let you know I am super happy and excited to work with Knowbe4 again. I previously emailed you (last year) about how much I appreciate CraigH for amazing customer support (I was at a different company).
In February, I requested to work directly with EileenH and CraigH again at my current company to demo Knowbe4 for my team members who do not use Knowbe4. We finally signed the MSA today and I want to share my appreciation for EileenH.
Eileen is amazing, patient and super kudos to her utmost professionalism as I worked through my internal procurement process. I have specifically requested to work with CraigH as well so I plan to share more kudos for him as we onboard Knowbe4. Thank you for having these amazing folks on your team!
- T.A., Senior Compliance Manager
- Ransomware victims paid $18 billion ransom in 2020:
- Hackers Are Winning the Cyber War, Largely Because They Target People:
- Ransomware gang threatens to expose police informants if ransom is not paid:
- 74% of Financial Institutions See Spike in COVID-Related Threats:
- Have You Been Smished? Mass Smishing Operation Targeting Mobile Users with Fake Amazon and USPS Update Messages:
- Microsoft mulls over tweaks to threat data, code-sharing scheme following Exchange Server debacle:
- Watch out! Android Flubot Smishing spyware is spreading fast:
- FBI: Russian hackers are still trying to break into networks, here's how to protect yours from attack:
- Scammers imitate Windows logo with HTML tables to slip through email gateways:
- The next great financial crisis could come from a cyber-attack:’ DFS releases report on SolarWinds Attack:
- Incredible Drone Show In Shanghai. Check out the --scannable-- QR Code in the sky:
- Your Virtual Vaca to Oslo, Norway this week!:
- Top 10 Incredible Bucket List Destinations:
- Red Bull Helicopter Flies Upside Down Over New York City:
- Wing walker jumps off a perfectly fine airplane. Looks like so much fun!:
- He Broke The World Jumping Record - Best Of The Week:
- Perseverance Rover's Mastcam-Z Captures Ingenuity's Third Flight:
- Danny MacAskill: REAL MTB 2021 | World of X Games:
- Interesting Map of Celtic and Germanic Tribes:
- Most INSANE Jumps of 2017 Part 2:
- Joe Nesbitt - Flying the Crack - Wingsuit BASE Jump in Switzerland:
- Gorgeous Riva del Garda Wingsuit flight:
- For Da Kids #1 - Turtle Chases Lions From His Waterhole:
- For Da Kids #2 - The benevolent attention of animal mothers for their young is amazing:
- For Da Kids #3 - Best Friends. An adorable compilation of animals showing that friendship is always possible, no matter what: