CyberheistNews Vol 11 #24 [Scam of the Week] If Your Users Are Amazon Shoppers, Heed This Prime Day Phishing Alert

CyberheistNews Vol 11 #24
[Scam of the Week] If Your Users Are Amazon Shoppers, Heed This Prime Day Phishing Alert

Amazon Prime Day is here today and tomorrow with special promotions. This also means cybercriminals are ready to strike leveraging 'special deals' that are scams. Warn your users.

Last year during Amazon Prime Day, Checkpoint noted that 20% of domains registered containing the words "Amazon" and "Prime" were malicious. However this year, almost half of the domains were seen as malicious with new related domains being 32% malicious sites.

With phishing techniques constantly getting more innovative, there are newer and easier ways for victims who are shopping for the latest deals to fall for these types of attacks. On our blog is just one example that researchers at Checkpoint found. It looks like it was sent from "Customer Service".

Warn your users to look out for these warning signs regarding Prime Day deals, here is something you can cut&paste:
"Amazon Prime Day is today and tomorrow. However, cyber criminals are also sending special deals that are scams. If you get any Prime Day offers in email, your phone or social media remember these three things:
  • Look out for any misspellings on any emails, ads, and domain names
  • If you're asked to provide additional details (e.g. your birthday or social security number) it is most likely a scam
  • Make sure to have a strong password created before Amazon Prime Day, and use a Credit Card instead of a Debit Card
Cyber criminals have created hundreds of fake domains with the words "Amazon" and "Prime" so especially watch out for scams during these two days!
It's important to ensure your users are always prepared for any type of attack, especially during "specials" like Amazon Prime Day. Frequent phishing tests and new-school security awareness training are important to ensure your users stay on their toes with security top of mind.

If you're a KnowBe4 customer, we strongly suggest you send a Prime Day-themed phishing test to your users today or tomorrow. We have an example template available in the Current Events section on the phishing template category.

Blog post with screenshot:
[New PhishER Feature] Turn the Tables on the Bad Guys With PhishFlip

The bad guys are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on the bad guys. With PhishFlip, you can now immediately ‘flip’ a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature which automatically replaces active phishing threats with a new defanged look-alike back into your users’ mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on the bad guys and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us THIS WEEK, Wednesday, June 23 @ 2:00 PM (ET) for a live 30-minute demo of the PhishER product including our new PhishFlip feature. With PhishER you can:
  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox.
  • Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: THIS WEEK, Wednesday, June 23 @ 2:00 PM (ET)

Save My Spot!
[Heads Up] New BEC Phishing Attack Steals Office 365 Credentials and Bypasses MFA

Leveraging Microsoft Exchange’s Basic Authentication support, scammers were able to use harvested online credentials and bypass any MFA in place, giving them access to mailboxes.

A new attack identified by Microsoft begins with a simple phishing campaign touting a file the recipient must read pointing to a malicious link that takes victims to a lookalike Office 365 logon page.

Once the victim offers up their credentials a “file not found” message is displayed. Now the fun starts.

The bad guys take the stolen credentials and attempt to log into the victims Office 365 account. Should they encounter Microsoft’s Multi-Factor Authentication, they check in with the Microsoft user agent “BAV2ROPC” which allows Exchange’s Basic Authentication (normally used in POP3/IMAP4 conditions) and results in an OAuth flow that bypasses MFA (since MFA isn’t supported for, say, an IMAP4 request).

Microsoft was set to disable Basic Authentication back in October of 2020, but the pandemic put that on hold, pushing it to sometime this year.

Once into the victim’s mailbox, the bad guys use a series of forwarding rules for messages containing words like invoice, payment, or statement to a bad actor-controlled email account.

Once the scammers get a hold of emails regarding payments, it’s back to basic impersonation and social engineering tactics to convince the person or company making the payment to change banking details at the last minute.

Impersonating someone – particularly when the bad actors have access to that person’s mailbox – is tough to defend against. So, it’s critical to stop these kind of attacks well before you get to that stage. The place to stop this is at the initial phishing attack – take a look at how obvious that attachment is; users need to be able to spot that a mile away.

By enrolling them in security awareness training, they will learn both the basics of good awareness, as well as the most recent scams, themes, and campaigns in use so they won’t be caught off guard when the next phishing attack occurs.

Blog post with screenshots and links:
5 Things To Do After Your Organization Becomes the Victim of a Phishing Attack

Organizations like yours are repeatedly attacked with phishing campaigns - no one is safe from them. But what needs to happen when one of your end users clicks a link or opens an attachment in a social engineering phishing email? You need to know how to quickly and effectively react to the attack and measure the overall risk.

In this on-demand webinar James McQuiggan, KnowBe4’s Technical Evangelist, shows you how your organization can quickly and effectively react to a phishing attack, mitigate the impact, and reduce your organizational risk in the future.

You’ll learn the 5 things to do when your organization becomes the victim of a phishing attack:
  1. Incident Response criteria for single or mass phishing infections
  2. Keys measures for your recovery process
  3. Tools that can help with your recovery process
  4. How threat intelligence can help you prevent future attacks
  5. The importance of training your users to report phishing red flags and avoid future incidents
Learn how to prepare and respond so that your organization doesn't become another statistic!

Watch the Webinar Now!
[OUCH] Electronic Arts Got Social Engineered Via Slack Channel and Lost 780 GB Valued Millions

Hackers gained access to the networks of video game giant Electronic Arts (EA) via social engineering over Slack, Motherboard reports. The hackers claim to have stolen 780 GB of data, including the source code for the company’s Frostbite game engine.

EA disclosed the breach last week, stating, “We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen. No player data was accessed, and we have no reason to believe there is any risk to player privacy. Following the incident, we’ve already made security improvements and do not expect an impact on our games or our business. We are actively working with law enforcement officials and other experts as part of this ongoing criminal investigation.”

The hackers explained to Motherboard that they’d first gained access to an EA Slack channel using a stolen cookie.

“A representative for the hackers told Motherboard in an online chat that the process started by purchasing stolen cookies being sold online for $10 and using those to gain access to a Slack channel used by EA,” Motherboard says. “Cookies can save the login details of particular users, and potentially let hackers log into services as that person.”

Next, the attackers used the Slack account to message the company’s IT support employees, explaining that they’d lost their phone at a party the night before and needed help getting back into the company’s network. The IT employees sent them a multifactor authentication token that allowed them to log in.

“Once inside EA's network, the hackers found a service for EA developers for compiling games,” Motherboard says. “They successfully logged in and created a virtual machine giving them more visibility into the network, and then accessed one more service and downloaded game source code.

The representative for the hackers provided screenshots to help corroborate the various steps of the hack, including the Slack chats themselves. EA then confirmed to Motherboard the contours of the description of the breach given by the hackers.” New-school security awareness training can help your employees thwart targeted social engineering attacks.

Motherboard has the story:
Give Your Employees a Safe Way to Report Phishing Attacks With One Click!

Do your users know what to do when they receive a suspicious email?

Should they call the help desk, or forward it? Should they forward to IT including all headers? Delete and not report it, forfeiting a possible early warning?

KnowBe4’s complimentary Phish Alert add-in button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click! And now, supports Outlook Mobile!

Phish Alert Benefits:
  • Reinforces your organization’s security culture
  • Users can report suspicious emails with just one click
  • Incident Response gets early phishing alerts from users, creating a network of “sensors”
  • Email is deleted from the user's inbox to prevent future exposure
  • Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)
I want my Free Phish Alert!
[OPINION] Biden Tells Putin Critical Infrastructure Sectors ‘Off Limits’ to Russian Hacking

Russian toleration and possibly active encouragement of cyber crime gangs was expected to be a major topic at last Wednesday's Russo-American summit, and indeed it was. Russian President Putin started things off claiming Russia does nothing that America doesn't also do.

President Joe Biden said that he and President Vladimir Putin have agreed to establish that critical infrastructure “should be off limits” from cyber activity, and Biden provided Putin with a list of some 16 sectors.

The New York Times observes that summits are now about cyber the way they were once about nuclear weapons. The summit concluded after three hours of face-to-face talks. Reuters calls them "professional" as opposed to "friendly," with some expressions of a willingness to pursue matters of arms control and cybersecurity going forward.

The two presidents did not hold a joint press conference, but in the post-summit media meeting, Mr. Biden described the discussion: "I looked at him and said: 'How would you feel if ransomware took on the pipelines from your oil fields?' He said: 'It would matter.' I pointed out to him that we have significant cyber capability. And he knows it." The New York Times reports that Russian media are calling President Biden “a man we can do business with,” and that it’s gratifying to see him recognizing Russia as a great power.

Ok, I got all that. But how about the rest of us? Is everything non-critical now a second-class citizen and an open target for ransomware attacks?

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: I was interviewed by NASDAQ last week:

PPS: NEW CERTIFICATION: Security Awareness and Culture Professional (SACP)™:

AND LAST, A NEW REVIEW: Best Cybersecurity Awareness Training for Employees in 2021:

Quotes of the Week
"Once we believe in ourselves, we can risk curiosity, wonder, spontaneous delight, or any experience that reveals the human spirit."
- e. e. Cummings (1894 - 1962)

"Learning never exhausts the mind."
- Leonardo da Vinci (1452 - 1519)

Thanks for reading CyberheistNews

Security News
[Eye Opener] Bad Security Habits Have Gotten Worse During the Pandemic

56% of IT workers believe employees have acquired poor security habits while working remotely, according to Tessian’s Back to Work Security Behaviors report.

“According to the report, younger employees are most likely to admit they cut cybersecurity corners, with over half (51%) of 16-24 year olds and almost half (46%) of 25-34 year olds reporting they’ve used security workarounds,” Tessian says.

“In addition, two in five (39%) say the cybersecurity behaviors they practice while working from home differ from those practiced in the office, with half admitting it’s because they feel they were being watched by IT departments.

IT leaders are optimistic about the return to office, though, with 70% believing staff will more likely follow company security policies around data protection and privacy. However, only 57% of employees think the same.”

Tessian found that most respondents believed that the uptick in phishing observed during the pandemic will continue during the return to the workplace.

“Over two-thirds of IT decision makers (67%) predict an increase in targeted phishing emails in which cybercriminals take advantage of the transition back to the office, adding to the rapidly growing number of phishing attacks faced by organizations (the FBI found that phishing attacks doubled in frequency last year),” Tessian says.

In addition, Tessian found that 27% of employees admitted that they didn’t report cybersecurity mistakes they made while working remotely.

“Over one quarter of employees admit they made cybersecurity mistakes — some of which compromised company security — while working from home that they say no one will ever know about,” the company says.

“More than one quarter (27%) say they failed to report cybersecurity mistakes because they feared facing disciplinary action or further required security training. In addition, just half of employees say they always report to IT when they receive or click on a phishing email.”

You can’t punish people into security awareness, and training shouldn’t be punitive. New-school security awareness training can enourage and inspire your employees to follow security best practices so they can spot social engineering attacks.

Blog post with links:
The Future of Ransomware

By Roger Grimes. Ransomware is pretty bad right now. It is taking down nearly any company and industry it can, targeting healthcare, energy infrastructure, and food supplies with equal aplomb. It takes down law enforcement, computer security companies, and entire cities at will. The average ransom paid is over $100K and we routinely see payouts in the many millions of dollars.

So far, the largest I have seen is $40M, but I bet larger ones have been paid that I do not know about. This is to say, it is pretty bad out there. Some companies are estimating overall annual damages from ransomware in the multi-hundreds of billions of dollars …ANNUALLY!

As I covered in my last article, ransomware is no longer about just encrypting data and has not been for quite a while. Today’s ransomware is:
  • Encrypting your data
  • Exfiltrating your emails, data, confidential information, IP and will post it publicly or give it to your competitors if you do not pay
  • Stealing company, employee and customer login credentials
  • Extorting your employees and customers
  • Sending spear phishing attacks to your business partners from your own computers using real email addresses and email subject lines your partners trust
  • Conducting DDoS attacks against any services you still have up and running
  • Publicly embarrassing your company
With all of these things being done routinely by ransomware, the question is, how could it get worse? What is the future of ransomware? I think I know.

What KnowBe4 Customers Say

"Hi Stu, so far, we are very impressed - in fact we feel the value for money is so good that we keep thinking there must be a catch somewhere!

Having a customer success manager (DominicE) help us get up and running has been invaluable, and I view this as essential to get the maximum value. I would recommend KnowBe4 without hesitation!"
- F.C., Security and Operations Manager

"Thank you for reaching out. We are absolutely thrilled with the value we are already receiving from KnowBe4. Our Customer Success Manager, TimC has been awesome as well. We are so glad we decided to invest in this tool, and partner with your company."
- E.T.C., Assistant Vice President, IT Manager
The 10 Interesting News Items This Week
    1. Senate bill proposes requiring cyber incident notification to feds within 24 hours:

    2. Ransomware claims are roiling an entire segment of the insurance industry:

    3. Deal or No Deal: The Double-edged Sword of the IT Security Bundle:

    4. Ransomware’s suspected Russian roots point to a long détente between the Kremlin and hackers:

    5. The latest REvil ransomware victim? Oh, just a US nuclear weapons contractor:

    6. How Does One Get Hired by a Top Cybercrime Gang?:

    7. Ukrainian Police Nab Six Tied to CLOP Ransomware

    8. Ouch. Billions of records belonging to CVS Health exposed online:

    9. NSA shares guidance on securing voice, video communications:

    10. Criminals are mailing altered Ledger devices to steal cryptocurrency:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews