CyberheistNews Vol 11 #39 [New Criminal Tactic]: Shortened LinkedIn URLs Are Now Used as Phish Hooks

CyberheistNews Vol 11 #39
[New Criminal Tactic]: Shortened LinkedIn URLs Are Now Used as Phish Hooks

Scammers are now using shortened LinkedIn URLs to disguise phishing links, according to Jeremy Fuchs at Avanan. LinkedIn automatically shortens links that are longer than 26 characters. The URL is shortened to a “lnkd[.]in” link followed by several characters. Attackers are abusing this feature to avoid detection by users and security filters.

Avanan spotted a phishing email that states, “Good afternoon. We are having a general upgrade on our new system data for 2021, and we’ll be needing your aid to rectify the missing info below so we can deliver more accurate and reliable service.” Ironically, the bottom of the email contains a warning that email fraud is on the rise, urging users to validate the source before interacting with an email.

If a user clicks on the shortened link, they’ll be sent through several redirects before landing on a phishing page that asks them to download a PDF. By using a shortened link from a legitimate service, users are less likely to be suspicious. Using multiple redirects through harmless sites helps to fool security technologies that check for phishing pages.

“This particular email can target anyone,” Fuchs says. “Though it presents itself as a standard credential harvesting and invoice scheme, the use of a LinkedIn URL may mean that any profession—the market for LinkedIn—could click. Plus, more employees have access to billing and invoice information, meaning that a spray-and-pray campaign can be effective. Whether it’s the “lnkd[.]in” form or the https[://]www[.]linkedin[DOT]com/slink?code=aB-cDeF variation, the idea is to create a link that contains a clean page, redirecting to a phishing page.”

Avanan notes that LinkedIn is among the top ten most impersonated brands in phishing attacks, so users should be on the lookout for these types of scams. New-school security awareness training enables your employees to make smarter security decisions so they can avoid falling for stealthy phishing attacks.

Blog post with Links:
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, October 6 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users.
  • NEW! AI-Driven phishing and training recommendations based on your users' phishing and training history
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules
  • NEW! Security Awareness Proficiency Assessment Benchmarks let you compare your organization’s proficiency scores with other companies in your industry
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes
Find out how 40,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, October 6 @ 2:00 PM (ET)

Save My Spot!
[HEADS UP] Paid Google Ads Now Abused To Deliver Malware

Cybercriminals are using malicious Google Ads to deliver the ZLoader banking Trojan, ZDNet reports. Researchers at Microsoft stated on Twitter that attackers are purchasing Google Ads that point to compromised websites, then redirect the user to a malicious website that delivers the malware. The criminals use the ads to target people who search Google for certain keywords.

“While analyzing ZLoader campaigns in early September, we observed a notable shift in delivery method: from the traditional email campaigns to the abuse of online ad platforms,” Microsoft said. “Attackers purchased ads pointing to websites that host malware posing as legitimate installers.”

The attackers also registered a phony company to cryptographically sign the malware files, making them more likely to appear benign to antivirus products.

“In addition to creating malicious installers, this shift in delivery method required to register a fraudulent company so they can sign the malicious files,” Microsoft said. “These files purport to install legitimate apps but instead deliver ZLoader, which provides access to an affected device.”

ZLoader is a remote access Trojan that serves as an initial foothold for additional malware, including ransomware.

“The operators of this campaign can then sell this access to other attackers, who can use it for their own objectives, such as deploying Cobalt Strike or even ransomware,” Microsoft said. ZDNet notes that the US Cybersecurity and Infrastructure Security Agency (CISA) warned last week that ZLoader is being used to distribute Conti ransomware.

“[CISA] and the Federal Bureau of Investigation (FBI) have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations,” CISA stated. “In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.”

Blog post with links:
See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us TOMORROW, Wednesday, October 6 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your specific scopes and requirements
  • Vet, manage and monitor your third-party vendors' security risk requirements
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due
Date/Time: TOMORROW, Wednesday, October 6 @ 1:00 PM (ET)

Save My Spot!
What Is XDR (Extended Detection And Response)?

ReliaQuest published a good article a little while back that quickly defines XDR and what it can do for you. This may save you some time and get you up to speed on the latest security layer.

XDR stands for extended detection and response and is a cross-platform threat detection and response strategy. XDR is a new category that’s been generating a lot of hype in the world of cybersecurity, and for good reason: Some of its hallmarks include centralization of normalized data, correlation of security data and alerts into incidents, and automated data sorting and analysis.


More traditional cybersecurity methodologies, such as endpoint detection and response (EDR) and security orchestration, automation, and response (SOAR) generally involve reactive approaches to detected threats. The sheer volume of security alerts provided by EDRs and SOARs derived from SIEM data often leads to security team burnout and more time spent tuning tools to avoid false positives than managing threat response.

XDR, on the other hand, enables a proactive approach by delivering visibility into data across clouds, endpoints, and networks, all while using automation and applying analytics to address threats. By automatically grouping lower-confidence activities into singular higher-confidence events, fewer alerts get prioritized for action, freeing the security team up for more urgent actions.


While more traditional security programs collect and provide data from the perspective of a particular function, XDR provides access to a full data lake of activity—including detections, metadata, telemetry, NetFlow, etc.—across a variety of individual security programs. And while the data analysis is more comprehensive, the threat alerts are more refined and focused to prevent response overload. That makes analysis easier, and that means fewer false positives.


While XDR is a step forward in the world of cybersecurity and threat response, it still suffers from vendor-based restrictions. Simply put, XDR platforms are generally limited to working with products within the same brand, and each XDR tool is tuned to the perspective of its creators.

Vendor-agnostic alternatives, for instance ReliaQuest GreyMatter takes an open approach to XDR, working as a glue for multiple XDR platforms and unifying them to work together to protect your network from threats of all shapes and sizes.

Blog post with links:
5 Things You Should Know About Ransomware Before It's Too Late

According to a report by Deloitte, 65% of executives feel ransomware is the greatest threat concern, but few are prepared to address that threat. How can you make sure you aren’t caught off guard when, not if, ransomware gangs put your organization in their sights?

Join us for this thought-provoking webinar hosted by Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist. He’ll teach you what you can do now to help prevent, detect, and mitigate ransomware threats.

In this session you’ll learn:
  • What are the root causes of ransomware?
  • Who really are the ransomware gangs?
  • Is it even legal to pay the ransom?
  • How can you best prevent your data from being exfiltrated?
  • What can you expect from cyber insurance coverage?
Earn CPE credit for attending. Get the information you need to know now before it’s too late!

Date/Time: Wednesday, October 13 @ 2:00 PM (ET)

Save My Spot!
Three Super Popular Links You May Want To Check Out

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Property may be destroyed and money may lose its purchasing power; but, character, health, knowledge and good judgment will always be in demand under all conditions."
- Roger Babson, Educator (1875 - 1967)

"History never repeats itself, but it does often rhyme."
- attributed to Mark Twain

"Half of what you know about cybersecurity will be irrelevant in 18 months."
- G. Mark Hardy, Virtual CISO

Thanks for reading CyberheistNews

Security News
Recognizing a Bogus "Microsoft" Security Warning

People who are working from home need to know how to recognize fake Microsoft security warnings, according to Brien Posey, vice president of research and development at Relevant Technologies. In an article for ITPro Today, Posey explains that Microsoft alerts won’t show up in a browser or over a phone call.

“First and foremost, if a security alert is displayed within a web browser, it is almost certainly fraudulent,” Posey writes. “While it’s true that a browser might occasionally indicate that a site that you are about to visit is not secure, Microsoft does not plaster warning messages inside of the browser indicating that your computer has been compromised and that you need to download a fix or contact technical support. It’s also important for users to know that Microsoft support does not contact people to tell them that their computers have been compromised. All such telephone calls are fraudulent.”

Posey also notes that an alert that appears urgent or frightening is most likely phony. “There are no alert tones, flashing fonts or threats as to what could happen if you don’t take immediate action,” Posey adds. “Any such language is a clear indicator that a message is fake. Other obvious signs that a security alert is fake might include having alert text being read by a robotic voice, an alert being displayed in a way that is difficult to get rid of, or prompts indicating that you need to pay for support using either crypto currency or gift cards.”

Posey notes that you can also check your computer’s settings to see if the alert’s information is accurate. “Another way to confirm a message’s authenticity is to check the message’s context against the settings within the Windows operating system,” Posey says. “If, for example, a message indicates that the Windows Firewall has been disabled, it is easy enough to go into Settings to see if the firewall is indeed disabled. If the firewall is still turned on, then the message is probably a fake.”

New-school security awareness training can teach your employees how to recognize social engineering tactics.

ITPro Today has the story:
Phishing Campaign Impersonates Zix Messages

Researchers at Armorblox have spotted a credential phishing campaign that’s impersonating encrypted communications from Zix. The emails contain a link to download an HTML attachment.

“This email is titled ‘Secure Zix message’, includes a header in the email body reiterating the email title, and claims that the victim has received a secure message from Zix, which is a security technology company that provides email encryption and email data loss prevention services,” the researchers write.

“The email invites the victim to click on the ‘Message’ button to view the secure message.” The phishing campaign was widespread, but the researchers observed some attacks that were targeted at specific employees.

“Although the potential account exposure of this attack campaign was close to 75,000 mailboxes, our threat research team found that a select group of employees - usually across departments - were targeted within each customer environment,” Armorblox says. “For example, for one of our SLED customers, people targeted by this attack included the CFO, a Director of Operations, a Director of Marketing, and a professor.

For another customer, a wellness company, the target employees included the SVP of Finance and Operations, the President, and a utility email alias ([.]com).”

Armorblox concludes that users should slow down and think before clicking on unsolicited links. “Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions,” the researchers write. “It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible.

Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is a Zix link leading to an HTML download? Why is the sender email domain from a third-party organization?).”

Frequent simulated phishing attacks will train your employees to block these social engineering attacks.

Armorblox has the story:
Become a Certified Leader in the Security Awareness Industry

Earn the Security Awareness and Culture Professional (SACP)™ credential and demonstrate your competency to design and lead security awareness programs that build a sustained security awareness culture.

To recognize Security Awareness Month, H Layer Credentialing are reducing registration fees through October 2021 by $70! Simply use the promo code SecurityMonth1021 during checkout to receive your discount.

The Security Awareness and Culture Professional (SACP)™ credential is the only independent, vendor-neutral certification designed specifically for the newest job role in building a security-aware culture.

You can learn more about the exam on their website or by downloading the SACP Candidate Information Bulletin. Use promo code SecurityMonth1021 during checkout to receive your $70 discount:
What KnowBe4 Customers Say

"Hi Stu, I have had the pleasure of working with Claire over the last six plus months on all things KnowBe4. She has been such a great asset, so patient and responsive. I have spent a lot of time working and communicating with her to set up our trainings, phishing campaigns, smart groups and assessments. I’m really happy to have her as our customer success manager- she is a GEM!

I have found customer service to be such an important part of the user experience, having been a Director of Customer Support myself years ago I wanted to take the time and applaud her for the work she does as I know I have asked a lot of her and her time over these last few months and she always helps with a smile. She’s a Keeper."
- P.M. CRCMP, CSCS, CHP, Compliance Risk Manager
The 10 Interesting News Items This Week
    1. The New Security Basics: 10 Most Common Defensive Actions. Yes, training is one of them:

    2. EU officially blames Russia for 'Ghostwriter' hacking activities:

    3. CISA releases tool to help orgs fend off insider threat risks:

    4. 19 of the top 20 Facebook page for American Christians were run by Eastern European troll farms:

    5. Ukraine takes down call centers behind cryptocurrency investor scams:

    6. The Rise of One-Time Password Interception Bots:

    7. US arrests 33 BEC scammers linked to Nigerian crime syndicate:

    8. Russia arrests cybersecurity firm CEO after raiding offices:

    9. House Oversight Wants Briefing on FBI’s Handling of Kaseya Ransomware Attack:

    10. Russian hacker Q&A: An Interview With REvil-Affiliated Ransomware Contractor:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews