CyberheistNews Vol 11 #29 [Heads Up] New Phishing Threat Infographic: Your Users Are Failing Security and HR-Related Attacks

CyberheistNews Vol 11 #29
[Heads Up] New Phishing Threat Infographic: Your Users Are Failing Security and HR-Related Attacks

KnowBe4's latest quarterly report on top-clicked phishing email subjects is here. These are broken down into three different categories: social media related subjects, general subjects and 'in the wild' attacks.

HR Phishing Clicks are Spiking

There has been a significant rise in phishing email attacks related to HR topics, especially those regarding new policies that would affect all employees throughout many types of organizations. Real phishing emails that were reported to IT departments related to security-minded users about password checks continue to remain popular. Phishing email attacks leveraging COVID-19 were on every quarterly report in 2020, but those subjects have dropped dramatically in 2021. End users have become more savvy about scams related to that topic.

With more employees returning to the office, they are concerned about new policies that affect their everyday situations at work, which is why we are seeing a rise in these types of phishing attacks. These days, it is especially important for all end users to take a moment to double check a link or attachment and to question whether the email is expected or unexpected. Employees are truly an organization’s last line of defense.

LinkedIn Still Draws the Most Social Media Subject Clicks

LinkedIn phishing messages have dominated the social media category for the last three years. Users may perceive these emails as legitimate since LinkedIn is a professional network, which could pose significant problems because many LinkedIn users have their accounts tied to their corporate email addresses.

Top-clicked subjects in this category also include Facebook and Twitter notifications, message alerts and login alerts. See the full infographic with top messages in each category for last quarter.

Great to share with your users:
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, August 4 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users.
  • NEW! AI-Driven phishing and training recommendations based on your users' phishing and training history.
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
  • NEW! Security Awareness Proficiency Assessment Benchmarks let you compare your organization’s proficiency scores with other companies in your industry.
  • Did You Know? You can upload your own SCORM training modules into your account for home workers.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 39,000+ organizations have mobilized their end users as their human firewall.

Date/Time: Wednesday, August 4 @ 2:00 PM (ET)

Save My Spot!
[WARNING] 2021 Tokyo Olympics Mean Olympic-Themed Phishing Attacks

Last year, we reported that authorities warned of the Tokyo Olympics phishing attacks. Then the global pandemic occurred, and the games were postponed. Well, now the games have returned... and so have the phishing attacks.

Let's take a walk down memory lane of Olympic-themed phishing attacks from the past:
  • 2016 Summer Olympics - phishing attacks spiked of the Olympics being 'cancelled'
  • 2018 Winter Olympics - threat actors hide Evil PowerShell script in an image
  • 2020 Summer Olympics - experts warn of Olympic-themed cyber attacks for participants and attendees
Now that the Olympics have started, the phishing attacks from cyber criminals will return in full force. Luckily, if you are a KnowBe4 customer, we have new templates available for you to now test your users. Search for "Tokyo Olympic Committee" templates in the Current Events category, and you will find the new set of templates.

Remember, new-school security awareness training is essential during current events like the Olympics to make sure your users are prepared to spot and report any suspicious activity using their Phish Alert Button!

Get it free:
See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, August 4 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we have added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met and past due.
Date/Time: Wednesday, August 4 @ 1:00 PM (ET)

Save My Spot!
Microsoft Continues to Be the Top Impersonated Brand in Phishing Attacks

New data from CheckPoint identifies those brands being used by threat actors to trick victims into opening attachments, clicking links, providing credentials and giving up personal details.

The use of a familiar brand has long been a tactic used by cyber criminals in an effort to elevate the credibility of an email, to lower the defenses of the potential victim, and to get said victim to engage with the phishing email in the desired manner.

According to the latest data from security vendor CheckPoint in their Brand Phishing Report Q2 2021 blog, Microsoft is the predominate brand used in phishing attacks by a wide margin:
  • Microsoft (45%)
  • DHL (26%)
  • Amazon (11%)
  • Best Buy (4%)
  • Google (3%)
In addition, the cyber criminals are getting pretty good at crafting realistic-looking emails that feel like they are really from the brands they claim. The email below provided by CheckPoint is one great example:

Link and screenshot at the KnowBe4 blog:
[NEW VERSION] Get Your Customized Automated Security Awareness Program, ASAP!

Many IT pros do not exactly know where to start when it comes to creating a security awareness training and culture program that will work for their organization.

We have taken away all the guesswork with our Free Automated Security Awareness Program builder (ASAP). ASAP is a revolutionary tool for IT professionals that helps you build your own customized Security Awareness Program for your organization. The new ASAP 2.0 will show you the steps needed to create a fully mature training program in just a few minutes!

The program includes actionable tasks, helpful tips, training content suggestions and a task management calendar. You also have the ability to export the full program as a detailed or executive summary version in PDF format. This is great ammo to help you secure budget for your program and report out to management.

Here is how it works:
  • Answer seven questions about your organization’s goals, compliance needs and culture
  • ASAP recommends training content based on your answers
  • See a detailed calendar with a customized task list to get your program started
  • Easily export detailed and executive summary PDF versions of your program
  • Get a fully mature awareness program ready in five minutes
Find out what YOUR program will look like! There is no cost... Start ASAP!

PS: If you are a current KnowBe4 customer, just log in to your console, click on ASAP at the top right and get started. :-D

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Yours Truly in Fast Company: Key concepts in Biden’s Executive Order can improve cybersecurity:

Get Ready for KB4-CON EMEA! Here is the (early bird) trailer:

Quotes of the Week
"One way to get the most out of life is to look upon it as an adventure."
- William Feather - Author (1889 - 1981)

"If you realized how powerful your thoughts are, you would never think a negative thought."
- Peace Pilgrim - Activist (1908 - 1981)

Thanks for reading CyberheistNews

Security News
Social Engineering and a Chinese State Campaign Against Pipelines

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued an alert describing a Chinese state-sponsored hacking campaign that targeted U.S. pipeline companies between 2011 and 2013. Notably, CISA and the FBI believe the campaign was intended to gather information to allow China to launch physically damaging cyber attacks.

“The U.S. Government has attributed this activity to Chinese state-sponsored actors,” the alert states. “CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk. Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyber attack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.”

The hackers used spear phishing to gain initial access, but they also turned to vishing (voice phishing) when spear phishing was no longer viable.

“In addition to spear phishing, CISA and the FBI were made aware of social engineering attempts by malicious actors believed to be associated with this campaign,” CISA says. “The apparent goal was to gain sensitive information from asset owners. One asset owner reported that individuals in their network engineering department, including managers, received multiple phone calls requesting information about their recent network security practices.

Other employees in other departments were not targeted. The asset owner also reported that these calls began immediately after they had identified and removed the malicious intruder from their network and performed a system-wide credential reset.”

The attacker attempted to glean information from employees over the phone. “The caller identified himself as an employee of a large computer security firm performing a national survey about network cybersecurity practices,” the alert states. “He inquired about the organization’s policy and practices for firewall use and settings, types of software used to protect their network, and the use and type of intrusion detection and/or prevention systems.

The caller was blocking his caller ID and when the targeted organization tried to return the call, they reached a number that was not in service.” New-school security awareness training helps you create a culture of security within your organization so your employees can thwart these types of attacks.

CISA has the story:
Microsoft Takes Down Homoglyph Domains

Microsoft has taken legal action to shut down 18 domains that were being used in business email compromise (BEC) attacks. The sites in question used homoglyphs to impersonate Microsoft websites. Homoglyphs are characters that visually resemble other characters, like the Cyrillic “Н” and the Roman “H,” but which in fact are distinct, and are so coded.

“These malicious homoglyphs exploit similarities of alpha-numeric characters to create deceptive domains to unlawfully impersonate legitimate organizations,” the researchers write. “For example, a homoglyph domain may utilize characters with shapes that appear identical or very similar to the characters of a legitimate domain, such as the capital letter “O” and the number “0”.

We continue to see this technique used in business email compromise (BEC), nation state activity, malware and ransomware distribution, often combined with credential phishing and account compromise to deceive victims and infiltrate customer networks.”

Microsoft explained that the domains were used in BEC attacks to trick employees into believing that they were heading to a Microsoft site.

CONTINUED with links at the KnowBe4 blog:
What KnowBe4 Customers Say

"Stu, You mean THE Stu Sjouwerman is sending me an email?! I appreciate you reaching out to check on my camping experience. At this point I can definitively say - So far, so good. The level of automation and "set- and-forget" abilities that the program has been and should continue to be a refreshing change for our small IT team in Northern New York. I am optimistic about the growth of our cyber security awareness and posture here with the aid of KnowBe4. The level of response and support I get from KnowBe4 staff has also been excellent and I am confident that I will be heard whenever I have issues or feature ideas.

I hate to sound all good and not provide any constructive criticism but I can honestly say that there hasn't been a negative aspect of this program yet. My biggest wish would be to see more compliance training and policies to the table and let this program take over other manual or paper tasks still going on here. Though, I would understand if that didn't align with the mission of the company and its cyber security starting point. Thanks again, have a great weekend Stu! (if it really is you)"
-B.C., IT Director

NOTE, I sent him a link to our new Compliance Plus page:

The 10 Interesting News Items This Week
    1. This Chat is Being Recorded: Egregor Ransomware Negotiations Uncovered:

    2. 19 days after REvil's ransomware attack on Kaseya VSA systems, there's a fix. Timeline:

    3. Top Ten Things You Can Do to Fight Malicious Hackers and Malware:

    4. Hackers embrace 5-day workweeks, unpatched vulnerabilities:

    5. China accuses US of launching cyberattacks, denies Microsoft Exchange hack:

    6. Hacking group APT31 uses mesh of home routers to disguise attacks:

    7. House approves raft of cyber bills in wake of ransomware attacks:

    8. Ransomware gang breached Insurer's network via fake browser update:

    9. Biden administration launches new website to combat ransomware:

    10. Ransomware incident at major cloud provider disrupts real estate, title industry:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews