CyberheistNews Vol 11 #19 [Heads Up] Phishing Scammers Can Now Remove the ‘External Sender’ Email Warnings




CyberheistNews Vol 11 #19
[Heads Up] Phishing Scammers Can Now Remove the ‘External Sender’ Email Warnings

With little more than some CSS and HTML coding, a security researcher demonstrates how easy it is to eliminate security warnings placed on email messages by security products.

Many organizations love the security feature where external emails are clearly marked, informing users so that anyone attempting to impersonate an internal user would raise suspicion. Hopefully, this will stop a phishing attack in its tracks.

But a clever security researcher, Louis Dion-Marcil, posted the results of his testing where he used some CSS code to simply hide the HTML-based warnings placed by a security software solution.

Noted in the Tweet’s comments was the fact that the HTML can just as easily be modified to indicate the email has been scanned and is legitimate.

This is very worrisome. Anytime users are asked to simply rely on technology to determine whether something is safe or is worthy of suspicion, the user tends to become complacent and blindly assumes that anything received is genuine.

However, impersonation is at an all-time high and tactics are improving each day to trick users into believing the sender is exactly who they claim they are. It’s critical that users be taught using security awareness training to remain vigilant, and not blindly trust security solution results. Remember, the bad guys work to evade detection by those very same products!

Blog post with link:
https://blog.knowbe4.com/phishing-scammers-remove-external-sender-email-warnings-impersonating-internal-users
[New PhishER Feature] Turn the Tables on the Bad Guys With PhishFlip

The bad guys are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on the bad guys. With PhishFlip, you can now immediately ‘flip’ a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature which automatically replaces active phishing threats with a new defanged look-alike back into your users’ mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on the bad guys and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, May 19 @ 2:00 PM (ET) for a live 30-minute demo of PhishER including a first look at our new PhishFlip feature. With PhishER you can:
  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox.
  • Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam, or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, May 19 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3110189/C3639F74026BD1E842AE0EF87CD46B6C?partnerref=CHN2
New QuickBooks-Themed Phishing Attack Seeks to Infect Victims With Dridex Malware

Purporting to be invoices and payment reminders, this new campaign targets users of the popular accounting software to install the banking trojan on its victims endpoints.

The bad guys have long known that emails involving the concept that the recipient owes money will get a response. They also know if you use a product or service that many people have already, you’ll equally get a response. Put them together and you have phishing magic.

That’s what security researchers at Bitdefender are seeing with this latest campaign of attacks on users of QuickBooks. Emails informing recipients of sizable amounts of money due is all it takes to get the click from the user:

The goal is to infect the victim endpoint with Dridex – a banking Trojan designed to steal banking credentials and other confidential information that can be used to access bank accounts and make fraudulent transactions. Dridex is commonly delivered via phishing emails that use malicious Microsoft Word and Excel documents as attachments.

The bad news is that the wide spread of smaller companies using QuickBooks makes this phish theming cast a pretty large net. Even if the recipient isn’t in Accounting or Finance, they may still wonder why does QuickBooks think the victim organization owes them a material amount of money.

This attack is pretty brilliant. So, you need to educate your users to avoid this and other scams like it. Remember, with Dridex the end result could be a completely wiped-out bank account, so taking the time to educate users will result in a very fast ROI.

Blog Post with links:
https://blog.knowbe4.com/new-quickbooks-themed-phishing-attack-seeks-to-infect-victims-with-dridex-malware
Setting the Trap: Crafty Ways the Bad Guys Trick Your Users to Own Your Network Featuring Kevin Mitnick

The bad guys are out there, watching and waiting for an opportunity to strike. They have carefully researched your organization in order to set the perfect trap. And the perfect backstory, or pretext, is the key.

The story might start with an urgent phone call from your “IT department” asking you to log into a new platform. Or it may seem like an innocuous email, but ends up harvesting important details about your organization. However it starts, this strategy can lead to the bad guys owning your network before you know it.

In this exclusive webinar Kevin Mitnick, KnowBe4's Chief Hacking Officer, and Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, will show you how the bad guys craft these cunning attacks. And more importantly, they tell you what you need to know to protect your organization.

In this webinar you’ll:
  • Discover how anyone can be fooled by the right backstory (maybe even Kevin!)
  • Learn why your users’ “illusion of invulnerability” may be your biggest weakness
  • See how the bad guys can use the information gained to compromise your entire network
  • Find out how to use this knowledge to strengthen your human firewall
Kevin will also share new hacking demonstrations that will blow your mind! This is one webinar you can't afford to miss and you can earn CPE credit just for attending. Save your spot now!

Date/Time: Wednesday, May 26 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3183018/7503C1E3A7E6EE9D73D90FFF88E7C592?partnerref=CHN
[EYE OPENER] FBI Finds Phishing Sites Abusing Search Results and Ads to Steal Banking Credentials

The US Federal Bureau of Investigation has sent out a private industry notification (PIN) warning that cybercriminals are using search engine ads and search results to spread phishing sites that impersonate banking websites. The FBI says this campaign has been running since March of 2021, although the Record notes that this technique has been in use since at least last year.

A researcher from FireEye told the Record that multiple threat actors are using search engine ads to share their phishing sites. The threat actors in this case used both search engine ads and natural search engine results to promote their malicious sites. The phishing sites in this campaign ask users to enter their credentials, phone numbers, and security question answers.

Here Is the Wrinkle

“In both versions of the scheme, the spoofed portal prompted customers to enter account credentials and telephone numbers, and to answer security questions,” the PIN states. “These actions failed to grant access, at which point the account holder would receive a telephone call from the cyber actor who falsely claimed to represent the financial institution!

While this individual occupied the customer in a lengthy process purported to "restore account access", an associate would access the financial institution’s legitimate portal using the customer’s stolen credentials and initiate wire transfers from the account. Victims subsequently learned about the illicit transfers from the financial institution or when they eventually logged into the correct portal.”

The FBI added that this campaign has been very successful at turning a profit. “The schemes resulted in illicit ACH transfers amounting to hundreds of thousands of dollars in financial losses,” the Bureau said.

Criminals will always find new ways to get their phishing sites in front of users. New-school security awareness training with simulated phishing attacks helps your employees make smarter security decisions and avoid falling for phishing and other social engineering attacks.

The Record has the story:
https://therecord.media/fbi-warns-of-cybercriminals-abusing-search-ads-to-promote-phishing-sites/
Do Users Put Your Organization at Risk With Browser-Saved Passwords?

Cybercriminals are always looking for easy ways to hack into your network and steal your users’ credentials.

Verizon’s 2020 Data Breach Investigations Report shows that attackers are increasingly successful using a combo of phishing and malware to steal user credentials. In fact, Password Dumpers takes the top malware spot making it easy for the bad guys to find and “dump” any passwords your users save in web browsers.

Find out now if browser-saved passwords are putting your organization at risk.

KnowBe4’s Browser Password Inspector (BPI) is a complimentary IT security tool that allows you to analyze your organization’s risk associated with weak, reused, and old passwords your users save in Chrome, Firefox, and Edge web browsers.

BPI checks the passwords found in the browser against active user accounts in your Active Directory. It also uses publicly available password databases to identify weak password threats and reports on affected accounts so you can take action immediately.

With Browser Password Inspector you can:
  • Search and identify any of your users that have browser-saved passwords across multiple machines and whether the same passwords are being used
  • Quickly isolate password security vulnerabilities in the browser and easily identify weak or high-risk passwords being used to access your organization’s key business systems
  • Better manage and strengthen your organization's password hygiene policies and security awareness training efforts
Get your results in a few minutes! They might make you feel like the first drop on a roller coaster!

Find Out Now:
https://info.knowbe4.com/browser-password-inspector-chn
New Verizon DBIR: Credentials Stolen in 85% of Social Engineering Breaches

Verizon’s latest data breach report puts a spotlight on one of the largest and most unpredictable risk factors in your cybersecurity strategy – your users.

This year’s Verizon Data Breach Investigations Report (DBIR) is out and it chock full of great data around what kinds of threat actions are involved in data breaches, who’s being attacked, and what are the impacts.

One of the recurring themes in this year’s report is the role the user plays in attacks. As seen in the title, the human element is significant in data breaches – whether the user is malicious, negligent, or accidental, humans are almost always the cause of a cyberattack. And this appears to be equally true in the case of data breaches.

According to the report:
  • Phishing is the number one threat action, involved in 36% of breaches
  • Approximately one-third of data breaches involve social engineering
  • Public Administration, Utilities, and Education had the highest number of breaches involving people (with a direct correlation to the use of social engineering)
And these attacks appear to have very real ramifications:
  • In 85% of social engineering breaches, stolen credentials are the result
  • More than 60% of attacks involving social engineering involve malware infection
  • Ransomware is the third highest threat appearing in breaches
The good news is the report isn’t all doom and gloom; interestingly, the new DBIR reported on the effectiveness of phishing testing on user click rates. According to the report, the median click rate in phishing simulations is only 3%!

Think about how important this is when combined with security awareness training and a layered security strategy: solutions at each layer hopefully block a material percentage of attacks (think email scanning, endpoint protection, etc.) with a very small percentage actually reaching the user’s Inbox.

Then with security awareness training and phishing testing, users only click on 3% of the already small percentage of all attacks, reducing your threat surface even more.

Note though that 3 billion phishing attacks are sent every day, so even a small percentage making it through is still tens of millions being active phishing threats.

Data breaches are now a part of over 70% of all ransomware attacks as well, so they aren’t going anywhere anytime soon. Put a layered defense in place that includes patching your code, filtering email, protecting the endpoint, and training your users and you will see a significant reduction in your risk of successful data breach.

Blog post with links:
https://blog.knowbe4.com/new-verizon-dbir-credentials-stolen-in-85-of-social-engineering-breaches

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Don't Mess With Uncle Sam's Gas! DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized:
https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/

PPS: Job Opening - Cyber Security Has Finally Reached the Queen of England:
https://www.dailymail.co.uk/news/article-9575463/The-Queen-hiring-60-000-year-cyber-security-expert.html



Quotes of the Week
"One’s mind, once stretched by a new idea, never regains its original dimensions."
- Oliver Wendell Holmes - Physician, Poet, and Polymath (1809 - 1894)



"The key to success is going to bed a little smarter each day."
- Warren Buffett - Investor (born 1930)


Thanks for reading CyberheistNew

Security News
[ALERT] Time to Truly Reckon With the Dark Reality of Ransomware’s Critical Costs

By Perry Carpenter. By now, I’m sure you’ve already been inundated with all the news about the US’s largest gasoline pipeline being shut down and restarted because of a ransomware attack. As reported by the New York Times, “One of the nation’s largest pipelines, which carries refined gasoline and jet fuel from Texas up the East Coast to New York, was forced to shut down after being hit by ransomware in a vivid demonstration of the vulnerability of energy infrastructure to cyberattacks.”

This is one of the very scenarios that cybersecurity experts have warned about for years: that a cyberattack would impact a significant piece of critical infrastructure. This is our new reality… and it’s time for a reckoning.

A few details

I think that the reality of this attack really hit me this morning when I noticed the stock widget on my phone; the two top stories had to do with the economic impact of the pipeline attack. Then, about 30 minutes after seeing these headlines, a coworker mentioned that she was looking at airline flights last week. Then she went to book her flight today and the price was three times as high.

Earlier today, the FBI attributed the attack to the DarkSide cybercriminal gang. As reported by CBS, “DarkSide is among ransomware gangs that have "professionalized" a criminal industry that has cost Western nations tens of billions of dollars in losses in the past three years.

DarkSide claims it doesn't attack hospitals and nursing homes, educational or government targets and that it donates a portion of its take to charity.”

Cybersecurity vendor Varonis also notes that,

“[t]he Darkside ransomware group announced their RaaS (Ransomware-as-a-Service) in August of 2020 via a ‘press release.’ Since then, they have become known for their professional operations and large ransoms. They provide web chat support to victims, build intricate data leak storage systems with redundancy, and perform financial analysis of victims prior to attacking.

The group’s name, Darkside, evokes the image of a good guy (or gal) that has turned from the light. While we can’t conclude that the group is comprised of former IT security professionals, their attacks reveal a deep knowledge of their victims’ infrastructure, security technologies, and weaknesses.

They have publicly stated that they prefer not to attack hospitals, schools, non-profits, and governments, but rather big organizations that can afford to pay large ransoms.”

The Time for Reckoning Has Come

There are a few things here that we can’t afford to ignore or be ignorant of. Ransomware is on the rise… again. And ransomware gangs are getting more creative – and destructive – than ever before.

Phishing is often the initial infection vector for ransomware. That means that you can’t afford to ignore your human layer security. Ransomware can cripple a business, damage an economy, or potentially threaten life. Even paying the ransom doesn’t mean everything will be OK. You still have to deal with downtime, loss of revenue, negative press, and more. And you probably won’t even get your data back.

As Sophos’, “The State of Ransomware in 2021” points out, only about 8% of ransomware victims get their data back. That is a sobering and devastating reality check.

Blog post with lots of links:
https://blog.knowbe4.com/alert-time-to-truly-reckon-with-the-dark-reality-of-ransomwares-critical-costs
A New Smishing Trojan Is Out and About

Researchers at Pradeo have observed a new Android malware campaign that uses text messages asking victims to pay a small fee for a delivery. The messages contain a link that will install a phony, malicious version of Google Chrome.

The victims are also asked to enter their payment details, which are sent to the attackers. “Our team has come across an advanced mobile attack campaign that uses a phishing technique to steal victims’ credit card details and infects them with a malware that impersonates the Android Google Chrome app,” the researchers write.

"The malware uses victims’ devices as a vector to send thousands of phishing SMS. Pradeo’s researchers qualified it as a Smishing trojan. By combining an efficient phishing technique, a malware to propagate actively, and methods to bypass security solutions, this campaign is particularly dangerous. We evaluate that the speed at which it is spreading has enabled it to already target hundreds of thousands of people in the last weeks."

The malware spreads via smishing messages sent from infected phones, which racks up victims’ phone bills. “Independently, once installed, the fake Chrome app sends more than 2000 SMS per week from its victims’ devices, every day during 2 or 3 hours, to random phone numbers that seem to follow one another,” Pradeo says.

“This mechanism ensures a successful propagation of the attack campaign. To stay undetected, the malware hides on mobile devices by using the official Chrome app’s icon and name, but its package, signature and version have nothing in common with the official app. For victims, banking fraud and massive phone bills may ensue.”

The researchers stress that users should constantly be on the lookout for unsolicited messages asking for sensitive information. “Mobile users should never provide credit card details when it is requested by an unknown sender,” Pradeo concludes.

“If uncertain of the source of the request, they should consult their package delivery with the tracking number provided by the carrier, on the official app or the website. Besides, they should exclusively download apps from official stores (Google Play on Android and the Apple store on iOS) and always update them from there.”

It’s a self-propagating scam with a few revenue streams, starting with the chickenfeed charged to release the package-that-isn’t and progressing through various forms of fraud.

Pradeo has the story:
https://blog.pradeo.com/fake-chrome-mobile-app-smishing-trojan
What KnowBe4 Customers Say

"I know I was hesitant about assigning Inside Man initially, but the number of people who have commented about how much they're enjoying this training is crazy. I have people who literally come to my office when the next sequence of episodes is assigned to tell me that they're excited to see what happens next. Thank you! We definitely have far more people doing the training than ever before!"
- G.C., Director of IT



"Stu, when I saw you as a member of the Forbes Tech Council, I thought I would reach out. I have been using KnowBe4 products since 2012/2013. As a security professional I felt that this was the missing link to all the security system – the impact of the human element. The system has had a positive impact on our security stance, and I have seen great strides in more effective systems and functions.

We are currently adding the PhishER product to our installation and think that will also increase our ability to respond more effectively to threats. Again, I just wanted to reach out and give you some direct feedback and let you know of my experience with your company and products."
- P.T., CISSP, HCISPP, Chief Information Officer
The 10 Interesting News Items This Week
    1. Biden Signs Cybersecurity Order to Boost U.S. Defenses Against Hacks:
      https://www.wsj.com/articles/president-biden-signs-cybersecurity-executive-order-to-boost-federal-defenses-against-hacks-11620859243

    2. Hackers Claim To Leak 250GB Of Washington, D.C., Police Data After Cops Don’t Pay $4 Million Ransom:
      https://www.forbes.com/sites/thomasbrewster/2021/05/13/ransomware-hackers-claim-to-leak-250gb-of-washington-dc-police-data-after-cops-dont-pay-4-million-ransom/

    3. Tech Audit of Colonial Pipeline Found ‘Glaring’ Problems (No Awareness Training):
      https://www.securityweek.com/tech-audit-colonial-pipeline-found-%E2%80%98glaring%E2%80%99-problems

    4. Hackers accessed SolarWinds' Office 365 since early 2019:
      https://www.crn.com.au/news/hackers-accessed-solarwinds-office-365-since-early-2019-564317

    5. Fintech Startup Offers $500 for Payroll Passwords:
      https://krebsonsecurity.com/2021/05/fintech-startup-offers-500-for-payroll-passwords/

    6. Removal of Fraudulent URLs Jumped 15-Fold in 2020, NCSC Says:
      https://hotforsecurity.bitdefender.com/blog/removal-of-fraudulent-urls-jumped-15-fold-in-2020-ncsc-says-25802.html

    7. Computers will soon be hacking people:
      https://reason.com/volokh/2021/05/10/computers-will-soon-be-hacking-people/

    8. KnowBe4 Selected as an Excellence Award Winner for the SC Awards 2021:
      https://www.wfmz.com/news/pr_newswire/pr_newswire_technology/knowbe4-selected-as-an-excellence-award-winner-for-the-sc-awards-2021/article_f0a09ad7-f265-59bd-b544-7dc902b82ec0.html

    9. Wave of Avaddon ransomware attacks triggers ACSC, FBI warning:
      https://therecord.media/wave-of-avaddon-ransomware-attacks-triggers-acsc-fbi-warning/

    10. Two-Thirds of CISOs Admit They're Not Ready to Face a Cyberattack:
      https://www.ectnews.com/story/87127.html

    11. BONUS: Are The Notorious Cyber Criminals Evil Corp Actually Russian Spies?:
      https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews