CyberheistNews Vol 11 #50 [EYE OPENER] New EU Phishing Study Shows That Crowd-sourcing Phishing Defense Is Successful

CyberheistNews Vol 11 #50

[EYE OPENER] New EU Phishing Study Shows That Crowd-sourcing Phishing Defense Is Successful

A Swiss phishing study involving roughly 15,000 participants in a 15-month experiment produced some interesting results. The study was run by researchers at ETH Zurich, working together with a company that remained anonymous.

The company did not inform their employees about the simulated phishing program they were going to be part of. The four goals of the study were to determine:

Which employees fall for phishing
How vulnerability evolves over time
How effective embedded training and warnings are
Whether employees can do anything to help in phishing detection

The test started by first deploying an email client "phish alert" button that allowed employees to report suspicious emails easily, and as the next step sent simulated phishing tests to employees' work email address for more than a year.

A few takeaways were that gender did not seem to matter much related to phishing susceptibility, and regarding repeat-clickers, 23.91% of those performing a dangerous action (enabling macros, submitting credentials), did it more than once. The research paper also showed that if an employee failed a phishing test and was sent voluntary training (i.e. the employee was not required to complete the training) that this does not work to improve security behavior.

Crowd-sourcing Turns Out To Be Feasible

As stated, employees in the tested company were given a "phish alert" button in their email client to report suspicious messages. In terms of the effectiveness of crowd-sourcing of defending against phishing attacks, the researchers looked into both the reaction time and flagging accuracy of employees.

The user reports were accurate in 68% for phishing and 79% if spam is accounted for as well. The most active reporters reached an accuracy of over 80%. And here is an important point: the time for these reports to be submitted after reception was 5 minutes for 10% of the total volume and half an hour for 35% of the total number of reports.

"To apply these numbers to a hypothetical company of 1,000 employees where 100 of them are targeted by a phishing campaign, we would have between 8 and 25 reports of the email by employees—of which one within 5 minutes with high probability, and a larger number within 30 minutes," details the paper.

In other words, in case of an active attack, the SOC would get a user-generated warning in 5 minutes and be able to PhishRIP the message immediately, or better yet, PhishFlip this attack into a simulated phishing attack for the whole user base.

Bleepingcomputer commented: "These findings show that utilizing a corporate-wide crowd-sourced phishing detection service [like PhishER] could significantly reduce the threat of phishing attacks. It is also important to note that such a system wouldn’t produce a sizable operational workload as a result, so a corporation implementing crowd sourced phishing protection wouldn’t incur much additional burden. Also, the researchers concluded that there is no "reporting fatigue," suggesting that crowd-sourcing anti-phishing data is feasible.

We like it when scientific studies confirm what we have been saying here for a while...

Blog post with screenshots and link to study:
https://blog.knowbe4.com/eye-opener-new-eu-phishing-study-shows-that-crowd-sourcing-phishing-defense-is-successful

Learn How to Forensically Examine Phishing Emails to Better Protect Your Organization Today

Cyber crime has become an arms race where the cybercriminals constantly evolve their attacks while you, the vigilant defender, must diligently expand your know-how to prevent intrusions into your network.

Staying a step ahead may even involve becoming your own cyber crime investigator, forensically examining actual phishing emails to determine the who, the where, and the how.

In this on-demand webinar, Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, shows you how to become a digital private investigator! You’ll learn:

How to forensically examine phishing emails and identify other types of social engineering
What forensic tools and techniques you can use right now
How to investigate rogue smishing, vishing, and social media phishes
How to enable your users to spot suspicious emails sent to your organization

Get inside the mind of the hacker, learn their techniques, and how to spot phishing attempts before it’s too late!

Watch the Webinar Now!
https://info.knowbe4.com/phishing-forensics-chn

Answer 4 Simple Questions To Avoid a Social Engineering Attack

By Roger Grimes.

I am usually not a man of a few words. I am the opposite.

I write hundreds of pages a month and talk non-stop in person. But lately, I have been trying to be better at saying more with less. With that in mind, I tried to boil down social engineering attacks in as few words as possible.

Social engineering is a scam that attempts to have a person perform an action which is against their own self interests. It is a con. Usually, the action is to provide confidential information (e.g., login information) or to execute malicious trojan horse content.

Most social engineering attacks have four common traits, which if present, signal a far higher likelihood of a scam being involved. Asking and answering four questions can help you avoid becoming a victim. If they are present, you should go out of your way to confirm the request using an additional, more trusted method before performing any action.

Here is the flowchart of those questions:
https://blog.knowbe4.com/answer-4-questions-to-avoid-a-social-engineering-attack

Not every message with these four traits is absolutely a social engineering scam. Our email inboxes, voice mail and postal mailboxes are full of unexpected requests. That is life. But when these four traits are present, you need to confirm the request using some other guaranteed-to-be-safe method before performing it. Think before you act.

Share this blog post with your friends:
https://blog.knowbe4.com/answer-4-questions-to-avoid-a-social-engineering-attack

How Vulnerable Is Your Network Against Ransomware And Cryptomining Attacks?

Bad actors are constantly coming out with new versions of ransomware strains to evade detection. Is your network effective in blocking ransomware when employees fall for social engineering attacks?

KnowBe4’s Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 22 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable.

Here's how RanSim works:

100% harmless simulation of real ransomware and cryptomining infections
Does not use any of your own files
Tests 23 types of infection scenarios
Just download the installer and run it
Results in a few minutes

This is complimentary and will take you 5 minutes max. RanSim may give you some insights about your endpoint security you never expected!

Get RanSim Now
https://info.knowbe4.com/ransomware-simulator-tool-1chn

2021 Security Hints & Tips for Holiday Travels for Your Users

The holiday season may be closer to "normal" this year, and that means your users will be even more focused on holiday activities - including travel, before the next COVID surge kicks in.

Cybercriminals will undoubtedly be using relevant social engineering tactics to take advantage of people that have been cooped up the last two years. In fact, the FBI recently sent a warning to beware of travel scams during the holidays.

It's more important than ever for you and your users to be vigilant of any potential suspicious activity. This newsletter is a great way to remind your users of best practices this holiday season. Here are the highlights:

Secure your devices when they are not in use
Use strong passwords
Use a VPN when connecting to your organization’s network
Beware of public Wi-Fi networks

Click here to download the full newsletter (PDF). This is also available in 10 languages; see the support article for those PDFs. This is great to share with your users!:
https://blog.knowbe4.com/2021-security-hints-tips-for-holiday-travels

Got (Bad) Email? IT Pros Are Loving This Tool: Mailserver Security Assessment

With email still a top attack vector, do you know if hackers can get through your mail filters? Spoofed domains, malicious attachments and executables to name a few...

Email filters have an average 7-10% failure rate where enterprise email security systems missed spam, phishing and malware attachments.

KnowBe4’s Mailserver Security Assessment (MSA) is a complimentary tool that tests your mailserver configuration by sending 40 different types of email message tests that check the effectiveness of your mail filtering rules.

Here's how it works:

100% non-malicious packages sent
Select from 40 automated email message types to test against
Saves you time! No more manual testing of individual email messages with MSA's automated send, test and result status
Validate that your current filtering rules work as expected
Results in an hour or less!

Find out now if your mailserver is configured correctly, many are not!
https://info.knowbe4.com/mailserver-security-assessment-CHN

NSA: Cyberattacks Are Putting the “Security of our Nation” at Stake

When most see cyberattacks as something that is impactful at the organizational level, the head of the National Security Agency sees cyberattacks as being a threat to the entire nation.

Just as you and I hear so much about cybercriminals attempting an attack on various organizations for purpose of data theft or ransomware, the U.S. military faces millions of attempts to access their networks by means of vulnerability scans, phishing attacks and more.

In a recent interview with ABC News, Director of the National Security Agency and Commander of U.S. Cyber Command Gen. Paul Nakasone highlighted how recent ransomware attacks have elevated his own opinion of cyber attacks from a “criminal matter” to now being a matter of national security, stating “What's at stake is obviously the security of our nation. We don't want to have a failure to imagine what's happening.”

At the Integrated Cyber Command Center at Fort Meade in Maryland, a mix of military, civilians and contractors work together using “Hunt Forward” teams that are asked to threat hunt on networks globally, sharing threat intel with private sector businesses.

Nakasone also mentioned six months ago he would have graded the cyber-readiness of American businesses at a "low C" based on their investment in security infrastructure to protect their networks and through educating their users. "I think that we've gotten a lot better since then, but we still have a ways to go."

One of the key areas that businesses can address today is the education of their users through security awareness training, where users can be made a part of your organization’s security stance, standing vigilant against email- and web-based threats that use social engineering to trick victims into engaging with malicious content.

This is obviously getting serious. So, while you’re thinking about the one organization you’re responsible for, realize it’s a much larger problem and your organization is just one point of entry into the larger issue of national security.

Blog post with links:
https://blog.knowbe4.com/nsa-cyberattacks-are-putting-the-security-of-our-nation-at-stake

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Regarding Log4j Vulnerability, KnowBe4 Is Not Affected:
https://blog.knowbe4.com/log4j-vulnerability-knowbe4-not-affected

PPS: The 5 Best Information Security Books of 2021 by Ben Rothke - Dec, 2021:
https://brothke.medium.com/the-5-best-information-security-books-of-2021-b796c189cba5

Quotes of the Week

"A man sees in the world what he carries in his heart."
- Johann Wolfgang von Goethe (1749-1832)

"Whenever anyone has offended me, I try to raise my soul so high that the offense cannot reach it."
- René Descartes - Philosopher (1596 - 1650)

Thanks for reading CyberheistNews

Security News

The Unbearable Lightness of Phishing Pages

Researchers at Kaspersky have found that most phishing pages are active for less than one day, with many of them going offline after just a few hours. Most of these short-lived pages were set up through hosting providers.

“Hosted phishing pages become inactive faster than the others,” the researchers write. “A quarter of the pages survived for no more than 8 hours, and only 12.3% of all pages remained active after 30 days. This has to do with the fact that the cheapest option which requires the least effort is to create a hosted phishing website.

Hosting providers offer a free trial period which is usually enough for cybercriminals’ plans, and once time is up on the free trial they can simply create a new page and abandon the old one.

The longest-lasting phishing pages, meanwhile, were usually set up on compromised websites that were abandoned or left vulnerable.

“The most ‘resilient’ pages turned out to be ones created before June 2015: 45.7% of these pages remained active after 30 days,” the researchers write. “Most of these are old websites hacked by cybercriminals who put phishing content there.

These pages are likely to remain active for a long time because they’ve been abandoned by their original creators or are located on servers with outdated software which leaves websites more vulnerable to attacks and their consequences.”

Most of the phishing pages contained the same content throughout their life cycles. The researchers note that many of the phishing pages that do change their content are impersonating the PUBG video game, which frequently updates its in-game products.

“Among phishing pages which have changed their content stand out those imitated prize giveaways from the game PUBG,” Kaspersky says. “This could have something to do with the fact that PUBG runs alternating temporary events (‘seasons’).

Given that cybercriminals want to make their phishing pages convincing and therefore as topical as possible, they periodically change the content of pages to keep up with the new season.” New-school security awareness training can help your employees to avoid falling for phishing attacks.

Securelist has the story:
https://securelist.com/phishing-page-life-cycle/105171/

Social Engineering Your Way to Customer Data

US telecommunications company Cox Communications has disclosed a data breach that exposed some customers’ information, BleepingComputer reports. The company said in a breach notification letter that an attacker was able to gain access to some customer accounts after impersonating a Cox employee.

“On October 11, 2021, Cox learned that an unknown person(s) had impersonated a Cox agent and gained access to a small number of customer accounts,” the statement said. “We immediately launched an internal investigation, took steps to secure the affected customer accounts, and notified law enforcement of the incident," reads the data breach notification signed from Amber Hall, Chief Compliance and Privacy Officer of Cox Communications.

After further investigation, we discover that the unknown person(s) may have viewed certain types of information that are maintained in your Cox customer account, including your name, address, telephone number, Cox account number, Cox.net email address, username, PIN code, account security question and answer, and/or the types of services that you receive from Cox.”

Cox urges affected customers to keep an eye on their finances for any suspicious activity. “We assure you that we take this incident very seriously,” the letter continued. “Out of an abundance of caution, we recommend that you review your financial account statements for fraudulent or irregular activity. You should immediately report any unauthorized activity to your financial institution.

We also recommend that you change the password on any accounts that may use the same password as your Cox account.” BleepingComputer offers the following additional recommendations for Cox customers:

Immediately change the password and account security questions/answers on your Cox account
Be on the lookout for phishing emails pretending to be from Cox that are designed to steal your login credentials
Enable 2-factor authentication for your Cox accounts to make it harder for threat actors to log in to your account

BleepingComputer has the story:
https://www.bleepingcomputer.com/news/security/cox-discloses-data-breach-after-hacker-impersonates-support-agent/

You Can Now Be A Certified Security Awareness and Culture Professional (SACP)™

Your organization's cyber threat landscape is changing lightning fast. So, your security awareness skills need to stay razor sharp, and are increasingly viewed as critical to protect your organization from human error.

You can now be a leader in the security awareness and culture profession. Earn H Layer’s Security Awareness and Culture Professional (SACP)™ credential and demonstrate your competency to design and lead security awareness programs that build a sustained security-awareness culture.

Your Security Awareness and Culture Professional (SACP)™ credential is the only independent, vendor-neutral certification designed specifically for the newest in-demand job roles in security awareness.

Learn more about the SACP Exam. Check out the requirements. Don't wait. Apply today and become one of the first professionals to earn your SACP Certification:
https://www.thehlayer.com/about-exam/

What KnowBe4 Customers Say

"Hi Stu! I have been a customer for years at different companies. I fought like hell to bring you on board here when they hired me to revamp their program. As always you guys have exceeded in expectations and support. From sales to onboarding to support Knowbe4 is top notch."
- H.M. Security Engineer

"Hello Stu, Thank you for following up, how do I say this, I’m an ecstatic happy camper. It’s almost like daily we are working with the tool and discovering better ways to manage aspects of our compliance needs. It’s such a capable platform for governance. Happy Holidays!"
- G.N. Security Architect

The 10 Interesting News Items This Week