CyberheistNews Vol 11 #29
[Heads Up] New Phishing Threat Infographic: Your Users Are Failing Security and HR-Related Attacks 
KnowBe4's latest quarterly report on top-clicked phishing email subjects is here. These are broken down into three different categories: social media related subjects, general subjects and 'in the wild' attacks.
HR Phishing Clicks are Spiking
There has been a significant rise in phishing email attacks related to HR topics, especially those regarding new policies that would affect all employees throughout many types of organizations. Real phishing emails that were reported to IT departments related to security-minded users about password checks continue to remain popular. Phishing email attacks leveraging COVID-19 were on every quarterly report in 2020, but those subjects have dropped dramatically in 2021. End users have become more savvy about scams related to that topic.
With more employees returning to the office, they are concerned about new policies that affect their everyday situations at work, which is why we are seeing a rise in these types of phishing attacks. These days, it is especially important for all end users to take a moment to double check a link or attachment and to question whether the email is expected or unexpected. Employees are truly an organization’s last line of defense.
LinkedIn Still Draws the Most Social Media Subject Clicks
LinkedIn phishing messages have dominated the social media category for the last three years. Users may perceive these emails as legitimate since LinkedIn is a professional network, which could pose significant problems because many LinkedIn users have their accounts tied to their corporate email addresses.
Top-clicked subjects in this category also include Facebook and Twitter notifications, message alerts and login alerts. See the full infographic with top messages in each category for last quarter.
Great to share with your users:
https://blog.knowbe4.com/infographic-q2-2021-users-falling-for-security-hr-phishing-attacks
KnowBe4's latest quarterly report on top-clicked phishing email subjects is here. These are broken down into three different categories: social media related subjects, general subjects and 'in the wild' attacks.
HR Phishing Clicks are Spiking
There has been a significant rise in phishing email attacks related to HR topics, especially those regarding new policies that would affect all employees throughout many types of organizations. Real phishing emails that were reported to IT departments related to security-minded users about password checks continue to remain popular. Phishing email attacks leveraging COVID-19 were on every quarterly report in 2020, but those subjects have dropped dramatically in 2021. End users have become more savvy about scams related to that topic.
With more employees returning to the office, they are concerned about new policies that affect their everyday situations at work, which is why we are seeing a rise in these types of phishing attacks. These days, it is especially important for all end users to take a moment to double check a link or attachment and to question whether the email is expected or unexpected. Employees are truly an organization’s last line of defense.
LinkedIn Still Draws the Most Social Media Subject Clicks
LinkedIn phishing messages have dominated the social media category for the last three years. Users may perceive these emails as legitimate since LinkedIn is a professional network, which could pose significant problems because many LinkedIn users have their accounts tied to their corporate email addresses.
Top-clicked subjects in this category also include Facebook and Twitter notifications, message alerts and login alerts. See the full infographic with top messages in each category for last quarter.
Great to share with your users:
https://blog.knowbe4.com/infographic-q2-2021-users-falling-for-security-hr-phishing-attacks
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, August 4 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at new features and see how easy it is to train and phish your users.
Date/Time: Wednesday, August 4 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/3286550/31EE164C92D9B17703B92D26D5FC9BE0?partnerref=CHN
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, August 4 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at new features and see how easy it is to train and phish your users.
- NEW! AI-Driven phishing and training recommendations based on your users' phishing and training history.
- NEW! Brandable Content feature gives you the option to add branded custom content to select training modules.
- NEW! Security Awareness Proficiency Assessment Benchmarks let you compare your organization’s proficiency scores with other companies in your industry.
- Did You Know? You can upload your own SCORM training modules into your account for home workers.
- Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Date/Time: Wednesday, August 4 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/3286550/31EE164C92D9B17703B92D26D5FC9BE0?partnerref=CHN
[WARNING] 2021 Tokyo Olympics Mean Olympic-Themed Phishing Attacks
Last year, we reported that authorities warned of the Tokyo Olympics phishing attacks. Then the global pandemic occurred, and the games were postponed. Well, now the games have returned... and so have the phishing attacks.
Let's take a walk down memory lane of Olympic-themed phishing attacks from the past:
Remember, new-school security awareness training is essential during current events like the Olympics to make sure your users are prepared to spot and report any suspicious activity using their Phish Alert Button!
Get it free:
https://www.knowbe4.com/free-phish-alert
Last year, we reported that authorities warned of the Tokyo Olympics phishing attacks. Then the global pandemic occurred, and the games were postponed. Well, now the games have returned... and so have the phishing attacks.
Let's take a walk down memory lane of Olympic-themed phishing attacks from the past:
- 2016 Summer Olympics - phishing attacks spiked of the Olympics being 'cancelled'
- 2018 Winter Olympics - threat actors hide Evil PowerShell script in an image
- 2020 Summer Olympics - experts warn of Olympic-themed cyber attacks for participants and attendees
Remember, new-school security awareness training is essential during current events like the Olympics to make sure your users are prepared to spot and report any suspicious activity using their Phish Alert Button!
Get it free:
https://www.knowbe4.com/free-phish-alert
See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress
You told us you have challenging compliance requirements, not enough time to get audits done and keeping up with risk assessments and third-party vendor risk is a continuous problem.
KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.
Join us Wednesday, August 4 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we have added to make managing your compliance projects even easier!
Save My Spot!
https://event.on24.com/wcc/r/3286424/61BE7208F41800D0DA80A9AE0357D834?partnerref=CHN
You told us you have challenging compliance requirements, not enough time to get audits done and keeping up with risk assessments and third-party vendor risk is a continuous problem.
KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.
Join us Wednesday, August 4 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we have added to make managing your compliance projects even easier!
- NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements.
- Vet, manage and monitor your third-party vendors' security risk requirements.
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
- Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations.
- Dashboards with automated reminders to quickly see what tasks have been completed, not met and past due.
Save My Spot!
https://event.on24.com/wcc/r/3286424/61BE7208F41800D0DA80A9AE0357D834?partnerref=CHN
Microsoft Continues to Be the Top Impersonated Brand in Phishing Attacks
New data from CheckPoint identifies those brands being used by threat actors to trick victims into opening attachments, clicking links, providing credentials and giving up personal details.
The use of a familiar brand has long been a tactic used by cyber criminals in an effort to elevate the credibility of an email, to lower the defenses of the potential victim, and to get said victim to engage with the phishing email in the desired manner.
According to the latest data from security vendor CheckPoint in their Brand Phishing Report Q2 2021 blog, Microsoft is the predominate brand used in phishing attacks by a wide margin:
Link and screenshot at the KnowBe4 blog:
https://blog.knowbe4.com/microsoft-continues-to-be-the-top-impersonated-brand-in-phishing-attacks
New data from CheckPoint identifies those brands being used by threat actors to trick victims into opening attachments, clicking links, providing credentials and giving up personal details.
The use of a familiar brand has long been a tactic used by cyber criminals in an effort to elevate the credibility of an email, to lower the defenses of the potential victim, and to get said victim to engage with the phishing email in the desired manner.
According to the latest data from security vendor CheckPoint in their Brand Phishing Report Q2 2021 blog, Microsoft is the predominate brand used in phishing attacks by a wide margin:
- Microsoft (45%)
- DHL (26%)
- Amazon (11%)
- Best Buy (4%)
- Google (3%)
Link and screenshot at the KnowBe4 blog:
https://blog.knowbe4.com/microsoft-continues-to-be-the-top-impersonated-brand-in-phishing-attacks
[NEW VERSION] Get Your Customized Automated Security Awareness Program, ASAP!
Many IT pros do not exactly know where to start when it comes to creating a security awareness training and culture program that will work for their organization.
We have taken away all the guesswork with our Free Automated Security Awareness Program builder (ASAP). ASAP is a revolutionary tool for IT professionals that helps you build your own customized Security Awareness Program for your organization. The new ASAP 2.0 will show you the steps needed to create a fully mature training program in just a few minutes!
The program includes actionable tasks, helpful tips, training content suggestions and a task management calendar. You also have the ability to export the full program as a detailed or executive summary version in PDF format. This is great ammo to help you secure budget for your program and report out to management.
Here is how it works:
https://info.knowbe4.com/asap-chn
PS: If you are a current KnowBe4 customer, just log in to your console, click on ASAP at the top right and get started. :-D
Let's stay safe out there.
Many IT pros do not exactly know where to start when it comes to creating a security awareness training and culture program that will work for their organization.
We have taken away all the guesswork with our Free Automated Security Awareness Program builder (ASAP). ASAP is a revolutionary tool for IT professionals that helps you build your own customized Security Awareness Program for your organization. The new ASAP 2.0 will show you the steps needed to create a fully mature training program in just a few minutes!
The program includes actionable tasks, helpful tips, training content suggestions and a task management calendar. You also have the ability to export the full program as a detailed or executive summary version in PDF format. This is great ammo to help you secure budget for your program and report out to management.
Here is how it works:
- Answer seven questions about your organization’s goals, compliance needs and culture
- ASAP recommends training content based on your answers
- See a detailed calendar with a customized task list to get your program started
- Easily export detailed and executive summary PDF versions of your program
- Get a fully mature awareness program ready in five minutes
https://info.knowbe4.com/asap-chn
PS: If you are a current KnowBe4 customer, just log in to your console, click on ASAP at the top right and get started. :-D
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc
PS: Yours Truly in Fast Company: Key concepts in Biden’s Executive Order can improve cybersecurity:
https://www.fastcompany.com/90655816/key-concepts-in-bidens-executive-order-can-improve-cybersecurity
Get Ready for KB4-CON EMEA! Here is the (early bird) trailer:
https://vimeo.com/579511995/695dd7ae7e
Quotes of the Week
"One way to get the most out of life is to look upon it as an adventure."
- William Feather - Author (1889 - 1981)
"If you realized how powerful your thoughts are, you would never think a negative thought."
- Peace Pilgrim - Activist (1908 - 1981)
Thanks for reading CyberheistNews
- William Feather - Author (1889 - 1981)
"If you realized how powerful your thoughts are, you would never think a negative thought."
- Peace Pilgrim - Activist (1908 - 1981)
Thanks for reading CyberheistNews
Security News
Social Engineering and a Chinese State Campaign Against Pipelines
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued an alert describing a Chinese state-sponsored hacking campaign that targeted U.S. pipeline companies between 2011 and 2013. Notably, CISA and the FBI believe the campaign was intended to gather information to allow China to launch physically damaging cyber attacks.
“The U.S. Government has attributed this activity to Chinese state-sponsored actors,” the alert states. “CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk. Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyber attack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.”
The hackers used spear phishing to gain initial access, but they also turned to vishing (voice phishing) when spear phishing was no longer viable.
“In addition to spear phishing, CISA and the FBI were made aware of social engineering attempts by malicious actors believed to be associated with this campaign,” CISA says. “The apparent goal was to gain sensitive information from asset owners. One asset owner reported that individuals in their network engineering department, including managers, received multiple phone calls requesting information about their recent network security practices.
Other employees in other departments were not targeted. The asset owner also reported that these calls began immediately after they had identified and removed the malicious intruder from their network and performed a system-wide credential reset.”
The attacker attempted to glean information from employees over the phone. “The caller identified himself as an employee of a large computer security firm performing a national survey about network cybersecurity practices,” the alert states. “He inquired about the organization’s policy and practices for firewall use and settings, types of software used to protect their network, and the use and type of intrusion detection and/or prevention systems.
The caller was blocking his caller ID and when the targeted organization tried to return the call, they reached a number that was not in service.” New-school security awareness training helps you create a culture of security within your organization so your employees can thwart these types of attacks.
CISA has the story:
https://us-cert.cisa.gov/ncas/alerts/aa21-201a
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued an alert describing a Chinese state-sponsored hacking campaign that targeted U.S. pipeline companies between 2011 and 2013. Notably, CISA and the FBI believe the campaign was intended to gather information to allow China to launch physically damaging cyber attacks.
“The U.S. Government has attributed this activity to Chinese state-sponsored actors,” the alert states. “CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk. Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyber attack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.”
The hackers used spear phishing to gain initial access, but they also turned to vishing (voice phishing) when spear phishing was no longer viable.
“In addition to spear phishing, CISA and the FBI were made aware of social engineering attempts by malicious actors believed to be associated with this campaign,” CISA says. “The apparent goal was to gain sensitive information from asset owners. One asset owner reported that individuals in their network engineering department, including managers, received multiple phone calls requesting information about their recent network security practices.
Other employees in other departments were not targeted. The asset owner also reported that these calls began immediately after they had identified and removed the malicious intruder from their network and performed a system-wide credential reset.”
The attacker attempted to glean information from employees over the phone. “The caller identified himself as an employee of a large computer security firm performing a national survey about network cybersecurity practices,” the alert states. “He inquired about the organization’s policy and practices for firewall use and settings, types of software used to protect their network, and the use and type of intrusion detection and/or prevention systems.
The caller was blocking his caller ID and when the targeted organization tried to return the call, they reached a number that was not in service.” New-school security awareness training helps you create a culture of security within your organization so your employees can thwart these types of attacks.
CISA has the story:
https://us-cert.cisa.gov/ncas/alerts/aa21-201a
Microsoft Takes Down Homoglyph Domains
Microsoft has taken legal action to shut down 18 domains that were being used in business email compromise (BEC) attacks. The sites in question used homoglyphs to impersonate Microsoft websites. Homoglyphs are characters that visually resemble other characters, like the Cyrillic “Н” and the Roman “H,” but which in fact are distinct, and are so coded.
“These malicious homoglyphs exploit similarities of alpha-numeric characters to create deceptive domains to unlawfully impersonate legitimate organizations,” the researchers write. “For example, a homoglyph domain may utilize characters with shapes that appear identical or very similar to the characters of a legitimate domain, such as the capital letter “O” and the number “0”.
We continue to see this technique used in business email compromise (BEC), nation state activity, malware and ransomware distribution, often combined with credential phishing and account compromise to deceive victims and infiltrate customer networks.”
Microsoft explained that the domains were used in BEC attacks to trick employees into believing that they were heading to a Microsoft site.
CONTINUED with links at the KnowBe4 blog:
https://blog.knowbe4.com/microsoft-takes-down-homoglyph-domains
Microsoft has taken legal action to shut down 18 domains that were being used in business email compromise (BEC) attacks. The sites in question used homoglyphs to impersonate Microsoft websites. Homoglyphs are characters that visually resemble other characters, like the Cyrillic “Н” and the Roman “H,” but which in fact are distinct, and are so coded.
“These malicious homoglyphs exploit similarities of alpha-numeric characters to create deceptive domains to unlawfully impersonate legitimate organizations,” the researchers write. “For example, a homoglyph domain may utilize characters with shapes that appear identical or very similar to the characters of a legitimate domain, such as the capital letter “O” and the number “0”.
We continue to see this technique used in business email compromise (BEC), nation state activity, malware and ransomware distribution, often combined with credential phishing and account compromise to deceive victims and infiltrate customer networks.”
Microsoft explained that the domains were used in BEC attacks to trick employees into believing that they were heading to a Microsoft site.
CONTINUED with links at the KnowBe4 blog:
https://blog.knowbe4.com/microsoft-takes-down-homoglyph-domains
What KnowBe4 Customers Say
"Stu, You mean THE Stu Sjouwerman is sending me an email?! I appreciate you reaching out to check on my camping experience. At this point I can definitively say - So far, so good. The level of automation and "set- and-forget" abilities that the program has been and should continue to be a refreshing change for our small IT team in Northern New York. I am optimistic about the growth of our cyber security awareness and posture here with the aid of KnowBe4. The level of response and support I get from KnowBe4 staff has also been excellent and I am confident that I will be heard whenever I have issues or feature ideas.
I hate to sound all good and not provide any constructive criticism but I can honestly say that there hasn't been a negative aspect of this program yet. My biggest wish would be to see more compliance training and policies to the table and let this program take over other manual or paper tasks still going on here. Though, I would understand if that didn't align with the mission of the company and its cyber security starting point. Thanks again, have a great weekend Stu! (if it really is you)"
-B.C., IT Director
NOTE, I sent him a link to our new Compliance Plus page:
https://www.knowbe4.com/compliance-plus
"Stu, You mean THE Stu Sjouwerman is sending me an email?! I appreciate you reaching out to check on my camping experience. At this point I can definitively say - So far, so good. The level of automation and "set- and-forget" abilities that the program has been and should continue to be a refreshing change for our small IT team in Northern New York. I am optimistic about the growth of our cyber security awareness and posture here with the aid of KnowBe4. The level of response and support I get from KnowBe4 staff has also been excellent and I am confident that I will be heard whenever I have issues or feature ideas.
I hate to sound all good and not provide any constructive criticism but I can honestly say that there hasn't been a negative aspect of this program yet. My biggest wish would be to see more compliance training and policies to the table and let this program take over other manual or paper tasks still going on here. Though, I would understand if that didn't align with the mission of the company and its cyber security starting point. Thanks again, have a great weekend Stu! (if it really is you)"
-B.C., IT Director
NOTE, I sent him a link to our new Compliance Plus page:
https://www.knowbe4.com/compliance-plus
The 10 Interesting News Items This Week
- This Chat is Being Recorded: Egregor Ransomware Negotiations Uncovered:
https://securityintelligence.com/posts/egregor-ransomware-negotiations-uncovered/ - 19 days after REvil's ransomware attack on Kaseya VSA systems, there's a fix. Timeline:
https://blog.knowbe4.com/important-kaseya-notice-turn-vsa-off.-now.-ransomware - Top Ten Things You Can Do to Fight Malicious Hackers and Malware:
https://www.linkedin.com/pulse/top-ten-things-you-can-do-fight-malicious-hackers-malware-grimes - Hackers embrace 5-day workweeks, unpatched vulnerabilities:
https://searchsecurity.techtarget.com/news/252504294/Hackers-embrace-5-day-work-weeks-unpatched-vulnerabilities - China accuses US of launching cyberattacks, denies Microsoft Exchange hack:
https://therecord.media/china-accuses-us-of-launching-cyberattacks-denies-microsoft-exchange-hack/ - Hacking group APT31 uses mesh of home routers to disguise attacks:
https://therecord.media/chinese-hacking-group-apt31-uses-mesh-of-home-routers-to-disguise-attacks/ - House approves raft of cyber bills in wake of ransomware attacks:
https://therecord.media/house-approves-raft-of-cyber-bills-in-wake-of-ransomware-attacks/ - Ransomware gang breached Insurer's network via fake browser update:
https://www.bleepingcomputer.com/news/security/ransomware-gang-breached-cna-s-network-via-fake-browser-update/ - Biden administration launches new website to combat ransomware:
https://federalnewsnetwork.com/federal-newscast/2021/07/biden-administration-launches-new-website-to-combat-ransomware/ - Ransomware incident at major cloud provider disrupts real estate, title industry:
https://therecord.media/ransomware-incident-at-major-cloud-provider-disrupts-real-estate-title-industry/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- This week's Virtual Vaca. Get some space at gorgeous Orcas Island, Washington, USA in 4K Ultra HD:
https://www.youtube.com/watch?v=5BHBZr3OuRQ - Virtual Vaca #2 - Climbing China's Incredible Cliffs | National Geographic:
https://www.youtube.com/watch?v=AIO2MEJCD9k - Magician and illusionist Rob Lake amazes the judges as he appears out of thin air right before their eyes on America's Got Talent:
https://www.flixxy.com/magician-rob-lake-appears-out-of-thin-air-americas-got-talent-2018.htm?utm_source=4 - Pasha and Aliona's Surprising And Unexpected Performance:
https://www.flixxy.com/pasha-and-aliona-surprising-and-unexpected-performance-agt-2021.htm?utm_source=4 - Back in 1976, Hans and Helga Moretti pulled off an amazing illusion that continues to puzzle professional magicians decades later:
https://www.flixxy.com/hans-morettis-sword-box-illusion-1976.htm?utm_source=4 - Lockpicking Lawyer - "Did You Think I Was Dumb?"" Cryptex USB Drive Opened:
https://www.youtube.com/watch?v=MPOsw2BRUPQ&t=3s - Best moments of the Red Bull Air Race and air acrobatics:
https://www.youtube.com/watch?v=fObqACgLhqM - All of history's greatest figures achieved success in almost exactly the same way. But rather than celebrating this part of the creative process we ignore it:
https://www.flixxy.com/the-long-road-to-success.htm?utm_source=4 - Summary - Watch Blue Origin send Jeff Bezos to space (short 3:29) in first historic launch:
https://www.youtube.com/watch?v=3h41c4QTiwo - This fashionable bike lock does not slow down the Lockpicking Lawyer:
https://youtu.be/LriGXdLJnwE - Why Tesla Needed The Giga Press:
https://www.youtube.com/watch?v=qJDSOwf9hpw - For Da Kids #1 - A Zebra Shark Will Not Let This Diver Work:
https://www.youtube.com/watch?v=OtwGVf2CeNM
- For Da Kids #2 - 10-Ounce Puppy Terrifies 75-Pound Boxer:
https://www.youtube.com/watch?v=o7ZBxHMS2Uw - For Da Kids #3 - Cute white sugar glider with build-in wing suit flying down into owner hand video:
https://www.youtube.com/watch?v=qjdE8ffQVZw
