CyberheistNews Vol 11 #25
[Heads Up] Attackers Abuse Your Google Docs With a New Phishing Angle
Attackers are using a new technique to exploit Google Docs for phishing attacks, according to researchers at Avanan. The attackers take advantage of the fact that Google Docs automatically renders HTML code, so a Google doc can act as a landing page to direct the user to the real phishing page. The researchers describe one example in which the doc appeared to be a file share page.
"This Google Docs page may look familiar to those who share Google Docs outside of their organization," Avanan says. "This, however, isn't that page. It's a custom HTML page made to look like that familiar Google Docs share page.
The attacker wants the victim to "Click here to download the document" and once the victim clicks on that link, they will be redirected to the actual malicious phishing website where their credentials will be stolen through another webpage made to look like the Google login portal."
The researchers describe another attack in which the Google doc itself acted as a phishing page. This doc appeared to be a DocuSign login page. The login form contained an embedded listener that would send the user's password to the attacker.
The links are distributed via phishing emails. Since the emails only contain a link to a Google doc and not a website, they're more likely to evade detection by security filters. Avanan concludes that more attackers will likely adopt this technique in the future.
Hackers are bypassing static link scanners by hosting their attacks in publicly known services, the researchers write. "We have seen this in the past with small services like MailGun, FlipSnack and Movable Ink, but this is the first time we're seeing it through a major service like Google Drive/Docs."
Attackers are constantly evolving their tactics to slip past technical defenses. New-school security awareness training helps your employees spot social engineering red flags.
Blog post with links:
https://blog.knowbe4.com/attackers-abuse-google-docs-for-phishing-attacks
Attackers are using a new technique to exploit Google Docs for phishing attacks, according to researchers at Avanan. The attackers take advantage of the fact that Google Docs automatically renders HTML code, so a Google doc can act as a landing page to direct the user to the real phishing page. The researchers describe one example in which the doc appeared to be a file share page.
"This Google Docs page may look familiar to those who share Google Docs outside of their organization," Avanan says. "This, however, isn't that page. It's a custom HTML page made to look like that familiar Google Docs share page.
The attacker wants the victim to "Click here to download the document" and once the victim clicks on that link, they will be redirected to the actual malicious phishing website where their credentials will be stolen through another webpage made to look like the Google login portal."
The researchers describe another attack in which the Google doc itself acted as a phishing page. This doc appeared to be a DocuSign login page. The login form contained an embedded listener that would send the user's password to the attacker.
The links are distributed via phishing emails. Since the emails only contain a link to a Google doc and not a website, they're more likely to evade detection by security filters. Avanan concludes that more attackers will likely adopt this technique in the future.
Hackers are bypassing static link scanners by hosting their attacks in publicly known services, the researchers write. "We have seen this in the past with small services like MailGun, FlipSnack and Movable Ink, but this is the first time we're seeing it through a major service like Google Drive/Docs."
Attackers are constantly evolving their tactics to slip past technical defenses. New-school security awareness training helps your employees spot social engineering red flags.
Blog post with links:
https://blog.knowbe4.com/attackers-abuse-google-docs-for-phishing-attacks
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Thursday, July 8 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at new features and see how easy it is to train and phish your users.
Date/Time: Thursday, July 8 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/3286254/12D6C8F373C83EA522925D9001A54B3F?partnerref=CHN
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Thursday, July 8 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at new features and see how easy it is to train and phish your users.
- NEW! AI-driven phishing and training recommendations based on your users' phishing and training history.
- NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
- NEW! Security Awareness Proficiency Assessment Benchmark let you compare your organization's proficiency scores with other organizations in your industry.
- Did you know? You can upload your own SCORM training modules into your account for home workers.
- Active Directory integration to easily upload user data, eliminating the need to manually manage user changes.
Date/Time: Thursday, July 8 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/3286254/12D6C8F373C83EA522925D9001A54B3F?partnerref=CHN
80% Of Ransomware Victim Organizations Experience a Second Attack
The impact of ransomware attacks is much more than just the sensationalized cost of ransoms. New data spells out how victim organizations have suffered at the hands of ransomware.
With the future of ransomware looking pretty bleak, it's important for organizations like yours to have a realistic understanding of just how impactful a single successful ransomware attack can be to your business. In Cyberreason's Ransomware: The True Cost to Business report, there are a number of shocking stats that provide insight into what the operational and business aftermath of an attack looks like. According to the report:
Blog post with links:
https://blog.knowbe4.com/80-of-ransomware-victim-organizations-experience-a-second-attack
The impact of ransomware attacks is much more than just the sensationalized cost of ransoms. New data spells out how victim organizations have suffered at the hands of ransomware.
With the future of ransomware looking pretty bleak, it's important for organizations like yours to have a realistic understanding of just how impactful a single successful ransomware attack can be to your business. In Cyberreason's Ransomware: The True Cost to Business report, there are a number of shocking stats that provide insight into what the operational and business aftermath of an attack looks like. According to the report:
- 53% reported that their brand suffered
- 66% reported a significant revenue loss
- 42% reported that cyber insurance did not cover losses
- 46% had some or all of their data corrupted even after paying the ransom
- 25% had to close their doors for a period of time before reopening
- 80% of those who paid the ransom experienced another attack.
Blog post with links:
https://blog.knowbe4.com/80-of-ransomware-victim-organizations-experience-a-second-attack
See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress
You told us you have challenging compliance requirements, not enough time to get audits done and keeping up with risk assessments and third-party vendor risk is a continuous problem.
KCM GRC is a SaaS-based platform that includes compliance, risk, policy and vendor risk management modules. KCM was developed to save you the maximum amount of time getting GRC done.
Join us Thursday, July 8 @ 1:00 PM (ET), for a 30-minute live product demo of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
Save My Spot!
https://event.on24.com/wcc/r/3286345/9F427CBDE5C69AB7CEEFBD2E475B65AB?partnerref=CHN
You told us you have challenging compliance requirements, not enough time to get audits done and keeping up with risk assessments and third-party vendor risk is a continuous problem.
KCM GRC is a SaaS-based platform that includes compliance, risk, policy and vendor risk management modules. KCM was developed to save you the maximum amount of time getting GRC done.
Join us Thursday, July 8 @ 1:00 PM (ET), for a 30-minute live product demo of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
- NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
- Vet, manage and monitor your third-party vendors' security risk requirements.
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
- Quick implementation with pre-built requirement templates for the most widely used regulations.
- Dashboards with automated reminders to quickly see what tasks have been completed, not met and past due.
Save My Spot!
https://event.on24.com/wcc/r/3286345/9F427CBDE5C69AB7CEEFBD2E475B65AB?partnerref=CHN
Why Phishing Attacks Are so Easy, Successful and Profitable and What You Can Do About It
With phishing attacks being thought to have started literally 25 years ago, what makes this age-old method so continually valuable as a tool for cyber criminals and scammers?
When you think of phishing, you might just think about the initial email sent to a potential victim recipient. But phishing today is far more than that; it's about the domain registrations needed, the fake login sites needed for credential theft scams; the pre-campaign diligence that's done on potential victim organizations to find just the right person.
In short, phishing is a multi-prong creation. And yet, it somehow finds success even when it's poorly executed.
Why is that? I see two simple reasons why phishing continues to grow, evolve, expand and succeed:
The cyber criminals see the opportunity and are reaching for the as a Service market within the cyber criminal ecosystem, which feels like it's expanding faster than the universe. It used to be that you would simply rent an email list of millions from the dark web, but today there's dark infrastructure, credential theft phishing site kits and just about any other part of a phishing attack that can be offered as a service. So, the opportunity I previously mentioned isn't even necessarily just taking some company for its money; the opportunity for a web developer may be building lots of those phishing kits instead of working their 9-5 job. Everybody's getting in on the game.
The potential victim doesn't see it when it hits them. This is something I preach here every single day. Users are busy working their job and when a well-written, thought out, well-presented, properly-branded, contextually-appropriate email comes in, they've got their work hat on and just, well click the link or open the attachment. Users simply aren't prepared for the attack they someday will face (if they haven't already).
Since there's little we can do to stop the bad actor economy from growing, we need to focus on the one part we can - the user. By teaching them to default to be skeptical, according to former CISSP Mark Stone, users can be taught to be critical of any email that results in asking for credentials, the transfer of funds or any other kind of action that can be misused by a cyber criminal.
It's only through continuous security awareness training that organizations can achieve being skeptical; users must receive constant reinforcement to ensure they know the danger is always present and must keep their defenses up when interacting with email or the web.
I think it's evident, phishing isn't going anywhere. And because it looks like it's probably going to continue to grow, now is the time to toggle your users to skeptical mode.
https://blog.knowbe4.com/why-phishing-attacks-so-easy-successful-and-profitable-and-what-to-do-about-it
With phishing attacks being thought to have started literally 25 years ago, what makes this age-old method so continually valuable as a tool for cyber criminals and scammers?
When you think of phishing, you might just think about the initial email sent to a potential victim recipient. But phishing today is far more than that; it's about the domain registrations needed, the fake login sites needed for credential theft scams; the pre-campaign diligence that's done on potential victim organizations to find just the right person.
In short, phishing is a multi-prong creation. And yet, it somehow finds success even when it's poorly executed.
Why is that? I see two simple reasons why phishing continues to grow, evolve, expand and succeed:
The cyber criminals see the opportunity and are reaching for the as a Service market within the cyber criminal ecosystem, which feels like it's expanding faster than the universe. It used to be that you would simply rent an email list of millions from the dark web, but today there's dark infrastructure, credential theft phishing site kits and just about any other part of a phishing attack that can be offered as a service. So, the opportunity I previously mentioned isn't even necessarily just taking some company for its money; the opportunity for a web developer may be building lots of those phishing kits instead of working their 9-5 job. Everybody's getting in on the game.
The potential victim doesn't see it when it hits them. This is something I preach here every single day. Users are busy working their job and when a well-written, thought out, well-presented, properly-branded, contextually-appropriate email comes in, they've got their work hat on and just, well click the link or open the attachment. Users simply aren't prepared for the attack they someday will face (if they haven't already).
Since there's little we can do to stop the bad actor economy from growing, we need to focus on the one part we can - the user. By teaching them to default to be skeptical, according to former CISSP Mark Stone, users can be taught to be critical of any email that results in asking for credentials, the transfer of funds or any other kind of action that can be misused by a cyber criminal.
It's only through continuous security awareness training that organizations can achieve being skeptical; users must receive constant reinforcement to ensure they know the danger is always present and must keep their defenses up when interacting with email or the web.
I think it's evident, phishing isn't going anywhere. And because it looks like it's probably going to continue to grow, now is the time to toggle your users to skeptical mode.
https://blog.knowbe4.com/why-phishing-attacks-so-easy-successful-and-profitable-and-what-to-do-about-it
Looking for Some Binge-Worthy Watching? We've Got Just What You're Looking For
The Inside Man is an award-winning KnowBe4 Original Series that delivers security awareness principles embedded in each episode that teach your users key cybersecurity best practices and makes learning how to make smarter security decisions fun and engaging.
From social engineering, insider threats and physical security, to vishing and deepfakes: 'The Inside Man' reveals how easy it can be for an outsider to penetrate your organization’s security controls and network.
The Story So Far... Six months after his transformation from undercover hacker to company defender, Mark Shepherd, our flawed hero from Season 1, struggles to keep his past a secret as he forges new relationships to thwart an elusive threat to the company's latest acquisition, while at the same time navigating a budding romance in Season 2, and delivering a cliff-hanger ending.
Season 3 reunites Mark and his newly-fledged team at 'Good Shepherd Security' to take flight into the world of security consulting and penetration testing. They've been commissioned by an international bank to do something that pushes both the limits of legality and their skill-set. They need to recruit new blood to help - but who can they trust?
The answer will set Mark, the ‘Inside Man’ himself on the emotional journey of a lifetime.
Watch the series now!
https://info.knowbe4.com/inside-man-chn
Let's stay safe out there.
The Inside Man is an award-winning KnowBe4 Original Series that delivers security awareness principles embedded in each episode that teach your users key cybersecurity best practices and makes learning how to make smarter security decisions fun and engaging.
From social engineering, insider threats and physical security, to vishing and deepfakes: 'The Inside Man' reveals how easy it can be for an outsider to penetrate your organization’s security controls and network.
The Story So Far... Six months after his transformation from undercover hacker to company defender, Mark Shepherd, our flawed hero from Season 1, struggles to keep his past a secret as he forges new relationships to thwart an elusive threat to the company's latest acquisition, while at the same time navigating a budding romance in Season 2, and delivering a cliff-hanger ending.
Season 3 reunites Mark and his newly-fledged team at 'Good Shepherd Security' to take flight into the world of security consulting and penetration testing. They've been commissioned by an international bank to do something that pushes both the limits of legality and their skill-set. They need to recruit new blood to help - but who can they trust?
The answer will set Mark, the ‘Inside Man’ himself on the emotional journey of a lifetime.
Watch the series now!
https://info.knowbe4.com/inside-man-chn
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc
PS: Making sure you saw this NEW NIST draft publication regarding ransomware. Page 13 talks about awareness training:
https://csrc.nist.gov/CSRC/media/Publications/nistir/draft/documents/NIST.IR.8374-preliminary-draft.pdf
Quotes of the Week
"More men have become great through practice than by nature."
- Democritus - Philosopher (460 370 BC)
"The man who reads nothing at all is better educated than the man who reads nothing but newspapers."
- Thomas Jefferson - Principal author of the Declaration of Independence, third President of the United States from 1801 to 1809
Thanks for reading CyberheistNews
- Democritus - Philosopher (460 370 BC)
"The man who reads nothing at all is better educated than the man who reads nothing but newspapers."
- Thomas Jefferson - Principal author of the Declaration of Independence, third President of the United States from 1801 to 1809
Thanks for reading CyberheistNews
Security News
[Eye Opener] Over 400% Increase in Ransomware Victims
According to a recent report by OODA Loop, "Mandiant claims to have detected a 422% increase in victim organizations announced by ransomware groups via their leak sites year-on-year between the first quarter of 2020 and Q1 2021."
In research recently conducted by Talion, 3/4 of consumers and security professionals want ransom payments to be prohibited. This is due to the number of victims consistently increasing with no end in sight of these types of attacks stopping anytime soon.
Mandiant also discovered that victims in over 600 European organizations were widespread across several different types of industries.
As more attacks and more money is demanded, ransom payments have been more of a controversial subject. We recently reported that the average ransom amount has increased to $170,000, an increase from $80,000 average in 2019.
Cyber insurance is also blamed by security professionals as it only encourages more attacks to continue in the future with no repercussions. It is highly recommended to implement frequent phishing tests and new-school security awareness training to prevent your organization from becoming the next victim.
OODA Loop has the full story:
https://www.oodaloop.com/briefs/2021/06/24/ransom-leak-sites-reveal-422-annual-increase-in-victims/
According to a recent report by OODA Loop, "Mandiant claims to have detected a 422% increase in victim organizations announced by ransomware groups via their leak sites year-on-year between the first quarter of 2020 and Q1 2021."
In research recently conducted by Talion, 3/4 of consumers and security professionals want ransom payments to be prohibited. This is due to the number of victims consistently increasing with no end in sight of these types of attacks stopping anytime soon.
Mandiant also discovered that victims in over 600 European organizations were widespread across several different types of industries.
As more attacks and more money is demanded, ransom payments have been more of a controversial subject. We recently reported that the average ransom amount has increased to $170,000, an increase from $80,000 average in 2019.
Cyber insurance is also blamed by security professionals as it only encourages more attacks to continue in the future with no repercussions. It is highly recommended to implement frequent phishing tests and new-school security awareness training to prevent your organization from becoming the next victim.
OODA Loop has the full story:
https://www.oodaloop.com/briefs/2021/06/24/ransom-leak-sites-reveal-422-annual-increase-in-victims/
KnowBe4 Makes eSecurity Planet's Best Security Awareness Training for Employees 2021 List
Security awareness training has made leaps and bounds in the last couple of years. With the old-school approach, a few bagels and long, boring PowerPoint presentations can only get you so far in educating your employees.
Nowadays, with ransomware and phishing attacks running amuck and ruining orgs, it's important for all of your employees to be well versed in cybersecurity best practices and maintain good cyber hygiene.
KnowBe4 has made the list for Best Security Awareness Training for Employees 2021 by eSecurity Planet. If you're considering a security awareness training option, eSecurity Planet suggests you should check out the following:
https://blog.knowbe4.com/knowbe4-makes-esecurity-planets-best-security-awareness-training-for-employees-2021-list
Security awareness training has made leaps and bounds in the last couple of years. With the old-school approach, a few bagels and long, boring PowerPoint presentations can only get you so far in educating your employees.
Nowadays, with ransomware and phishing attacks running amuck and ruining orgs, it's important for all of your employees to be well versed in cybersecurity best practices and maintain good cyber hygiene.
KnowBe4 has made the list for Best Security Awareness Training for Employees 2021 by eSecurity Planet. If you're considering a security awareness training option, eSecurity Planet suggests you should check out the following:
- How is user management handled? Is it a manual process? You want to assess the ease of administration of whatever vendor you choose. If there are multiple systems or consoles, be sure to ask about the degree of integration between those systems
- The volume of training content provided. How important is it to your organization to have an ongoing campaign with fresh content? A small training library means stale and infrequent training.
- Availability of localized training and phishing content to sustain frequent training and testing internationally and in multiple languages.
- Is the vendor dedicated to best-of-breed security awareness training as its core focus, or is it an add-on to a wide variety of products that are simply bundled together?
- What does customer support look like and how well is it reviewed?
- Find out how many capabilities come with the subscription level. What functionality is included versus what requires managed services and extra fees, including integration?
- What reporting and support features are included with the subscription?
- Is customized and branded training content important? If so, check to see if branding capabilities are in the platform.
https://blog.knowbe4.com/knowbe4-makes-esecurity-planets-best-security-awareness-training-for-employees-2021-list
What KnowBe4 Customers Say
"I'm loving PhishER and my CSM has set up a walkthrough with our SecOPS and Service Desk team for tomorrow so I can share the features with them. They are excited about PhishRIP.
I've already quarantined over 30,000 phishing messages from user inboxes that were all received in one day from a single compromised mailbox and our secure email gateway product did not identify the phishing email as a threat.
But it was our human firewall that used the PAB to report the phish to IT and then we used PhishER queries and quarantined all those threats in bulk!
I'll take a look at the new compliance training. I agree that many of our compliance courses are super boring. Fire safety and hazardous communications course is one hour long. Ugh."
- M.R. Director Cybersecurity Training Education & Awareness Program
"I'm loving PhishER and my CSM has set up a walkthrough with our SecOPS and Service Desk team for tomorrow so I can share the features with them. They are excited about PhishRIP.
I've already quarantined over 30,000 phishing messages from user inboxes that were all received in one day from a single compromised mailbox and our secure email gateway product did not identify the phishing email as a threat.
But it was our human firewall that used the PAB to report the phish to IT and then we used PhishER queries and quarantined all those threats in bulk!
I'll take a look at the new compliance training. I agree that many of our compliance courses are super boring. Fire safety and hazardous communications course is one hour long. Ugh."
- M.R. Director Cybersecurity Training Education & Awareness Program
The 10 Interesting News Items This Week
- Clop Gang Partners Laundered $500 Million in Ransomware Payments:
https://thehackernews.com/2021/06/clop-gang-members-laundered-500-million.html - How Cyber Safe is Your Drinking Water Supply?:
https://krebsonsecurity.com/2021/06/how-cyber-safe-is-your-drinking-water-supply/ - South Korea's Nuclear Research agency hacked using VPN flaw:
https://www.bleepingcomputer.com/news/security/south-koreas-nuclear-research-agency-hacked-using-vpn-flaw/ - Biden is worried about cybersecurity. Japan says watch cartoons:
https://www.zdnet.com/article/biden-is-worried-about-cybersecurity-japan-says-watch-cartoons/ - This story is a fascinating 20-minute read. How the North Korean Lazarus group almost pulled off a billion-dollar cyber heist, but ended up with "just" 81M:
https://www.bbc.com/news/stories-57520169 - The Cybersecurity 202: The NSA wants to collaborate with industry in a major institutional shift:
https://www.washingtonpost.com/politics/2021/06/23/cybersecurity-202-nsa-wants-collaborate-with-industry-major-institutional-shift/ - Hackers are trying to attack big companies. Small suppliers are the weakest link:
https://www.zdnet.com/article/hackers-are-trying-to-attack-big-companies-small-suppliers-are-the-weakest-link/ - Microsoft warns: Now attackers are using a call center to trick you into downloading ransomware:
https://www.zdnet.com/article/microsoft-warns-now-attackers-are-using-a-call-centre-to-trick-you-into-downloading-ransomware/ - Ransomware: Now gangs are using virtual machines to disguise their attacks:
https://www.zdnet.com/article/ransomware-cyber-criminals-are-using-virtual-machines-to-hide-attacks-from-being-detected/ - By yours truly. "I Built a Billion-Dollar Company With the Help of These 19 Business Books":
https://www.entrepreneur.com/article/374149
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- Awesome World Taekwondo Demonstration Team - America's Got Talent 2021:
https://www.flixxy.com/world-taekwondo-demonstration-team-americas-got-talent-2021.htm?utm_source=4 - Super Talented Sweet Dads | People Are Awesome:
https://www.flixxy.com/dads-are-awesome.htm?utm_source=4 - Fabulous. Aerobatic Plane Dance in 4K filmed by a FPV racing drone:
https://www.flixxy.com/aerobatic-plane-dance-in-4k-gopro-awards.htm?utm_source=4 - Rembrandt's 'Night Watch' on Display With Missing Figures Restored by AI:
https://www.usnews.com/news/technology/articles/2021-06-23/rembrandts-night-watch-on-display-with-missing-figures-restored-by-ai - Can you shoot --around-- objects with arrows? Lars Andersen can!
https://www.youtube.com/watch?v=qc_z4a00cCQ - GoPro: Scenic Mountain Wingsuit Flight with Jeb Corliss:
https://www.youtube.com/watch?v=PT0NcmyDYLU - Red Bull X-Alps 2021 - Best of Airborne Leaders:
https://www.youtube.com/watch?v=TusZSVYzNVE - Journey To The Edge Of Space. Experience what it's like to leave Earth, traveling to over 90,000 feet into the stratosphere (360 Video):
https://www.youtube.com/watch?v=pCve1w1GFOs - Climbing Skills, Karate, Extreme Mountain Biking | "Best of the Week" People Are Awesome:
https://youtu.be/qkTpdZ8VbZU - Chile opens vast thermosolar power plant. Interesting!:
https://www.youtube.com/watch?v=PXHhKCxx1rM - For Da Kids #1 - Meanwhile in Australia, cockatoos are biting tails of kangaroos and stealing their food:
https://youtu.be/Lx78TqH0HIE - For Da Kids #2 - Rescue lion would get nervous during storms. A blanket did the trick:
https://youtu.be/STuvP5MMjJo - For Da Kids #3 - This rescued sparrow is convinced he's a dog:
https://youtu.be/7WQDu_L7TiI - For Da Kids #4 - Watch These Baby Skunks Grow Big And Go Back To The Wild:
https://www.youtube.com/watch?v=7qwYSo6k_lc