CyberheistNews Vol 11 #51 [Heads Up] Phishing Attacks Remain the Top Type of Cybersecurity Breach This Year




CyberheistNews Vol 11 #51
[Heads Up] Phishing Attacks Remain the Top Type of Cybersecurity Breach This Year

Over half of organizations say they’ve experienced a cybersecurity breach caused by phishing in the last 12 months, dwarfing the second-place breach cause (malware) by almost 30%.

The latest data from Dark Reading’s annual Strategic Security Survey shows phishing continues to be an organization’s biggest problem. With 53% of organizations citing phishing as being the cause of a security breach (up from 51% in 2020), organizations are keenly aware of the problem that exists when mixing users, social engineering, and phishing emails.

According to the survey:
  • 58% say users being socially engineered via phishing or other scams is the most significant endpoint security concern
  • 48% of respondents say that if their organization experiences a major data breach in the next 12 months, the most likely cause will be a negligent end user
So, users are definitely the weak link in the security chain in most orgs. And this requires some shoring up of security efforts around users, including security awareness training to turn the user from a security liability to an asset who aids in protecting the organization.

According to the survey, of those organizations that experienced a cybersecurity breach in the last 12 months, 23% reported network disruptions and application unavailability, 17% say they experienced a major financial loss, and 15% reported fraud.

Phishing your user continues to be an effective initial attack vector. And with the potential damage an attack can have, it’s imperative to strengthen every part of your security stance – including that end user.

Blog post with links:
https://blog.knowbe4.com/phishing-remains-top-form-of-cybersecurity-breach-in-2021
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, January 12 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users.
  • NEW! AI-Driven phishing and training recommendations based on your users' phishing and training history
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules
  • NEW! Security Awareness Proficiency Assessment Benchmarks let you compare your organization’s proficiency scores with other companies in your industry
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes
Find out how 40,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, January 12 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3560091/87FBA987BED82A74696798BA0DC1B7DA?partnerref=CHN
New Office 365 “Spam Notification” Phishing Emails Seek to Capture Credentials

A new campaign spotted in the wild uses a tried-and-true method of convincing victims to provide their Office 365 logon credentials to be used in future attacks.

Security researchers at MailGuard have identified a new realistic-looking campaign that notifies users of “spam” messages with subject lines made to look important. This technique is designed to mimic Microsoft’s own security safeguards and could confuse would-be victims into retrieving the nonexistent email message.

Brilliant Small Nuance

The phishing notification is rather convincing and impersonates Microsoft rather well. One small note about the campaign that I find particularly brilliant is the fact that the page users are taken to in order to provide their Office 365 credentials states “Session Expired”. It’s a small nuance that establishes why the user must enter their credentials.

Most attacks like this simply ask for credentials with no explanation as to why users aren’t taken directly to the email in question (as would be expected).

Microsoft has been the primary impersonated brand by phishing attacks for many quarters, being leveraged in nearly one-third (29%) of phishing attacks using brand impersonation – something I suspect will continue for the foreseeable future, given Microsoft’s hold on the digital workspace market.

Organizations utilizing Microsoft’s Office 365 services should educate users of such campaigns using security awareness training to minimize the risk of successful attack.

Blog post with example screenshot and links:
https://blog.knowbe4.com/office-365-spam-notification-phishing-emails-seek-to-capture-credentials
See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, January 12 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18, and more
  • Vet, manage and monitor your third-party vendors' security risk requirements
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due
Date/Time: Wednesday, January 12 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3560080/6360C52CF28AFC2699444EBD6B0F8408?partnerref=CHN
[A New Low] Recent Nigerian Phishing Scams Target U.S. Military Families With Needed “Services”

With loved ones potentially a half a world away, scammers prey on families with scams that offer to assist with communication, care packages, leave, and more.

We all know military families sacrifice a lot so their loved ones can serve literally anywhere on the globe. It’s also well-known that military folks aren’t exactly making CEO-level compensation either. So, it’s pretty disgusting to hear that scammers are targeting these folks to separate them from their hard-earned money.

According to new detail from security vendor Lookout, a wave of new scams leveraging more than 50 very realistic websites are focused on tricking military families into paying for services that will never be provided.

The services being offered include:
  • Communication Permits
  • Application for Leave
  • Care Packages
  • Compensation Fund Applications (for those that have lost someone in the line of duty)
  • Deployment Declination
  • Marriage
  • Housing Options
  • Resignation
Victims are asked in many cases to pay exorbitant prices for these services - well beyond anything reasonable in the real world. This is beyond low. A list of the fake domains is provided by Lookout for reference.

Blog post with links:
https://blog.knowbe4.com/new-nigerian-phishing-scams-target-u.s.-military-families-with-needed-services
Are Your Users' Passwords... P@ssw0rd?

Are your users' passwords…P@ssw0rd? Verizon's Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords.

Employees are the weakest link in your network security, using weak passwords and falling for phishing and social engineering attacks.

KnowBe4's complimentary Weak Password Test checks your Active Directory for 10 different types of weak password related threats and reports any fails so that you can take action.

This will take you 5 minutes and may give you some insights you never expected! Find your weak passwords:
https://info.knowbe4.com/weak-password-test-chn


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: The Top 22 Security Predictions for 2022:
https://www.govtech.com/blogs/lohrmann-on-cybersecurity/the-top-22-security-predictions-for-2022

PPS: With KnowBe4’s Updated Phish Alert Button, You Can Now Collect Feedback from Your Users When They Report Suspicious Emails:
https://blog.knowbe4.com/knowbe4-phish-alert-button-collect-feedback-from-users

Quotes of the Week
"The less effort, the faster and more powerful you will be."
- Bruce Lee - Martial Artist (1940 - 1973)


"Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety."
- Benjamin Franklin - Founding Father, author, printer, political theorist, postmaster, scientist, inventor, civic activist, statesman, diplomat (1706 - 1790)



Thanks for reading CyberheistNews

Security News
Phishing Campaign Impersonates Pfizer With High and Low Tech

A phishing campaign is impersonating Pfizer with phony request-for-quotation (RFQ) emails, according to Roger Kay at INKY. The email lures had fairly convincing PDF attachments that didn’t contain any malicious links or malware, and instead prompted the user to reach out to the scammer for more details.

“They both claimed that Pfizer was requesting quotes for various industrial engineering supplies, and both had PDF attachments that impersonated Pfizer,” Kay says. “The PDF was three pages long and had a few inconsistencies (e.g., different due dates on different pages), but, in general, looked pretty good.

The discussion of payment methods and terms set the recipient up for the idea that they would have to share banking details at some point.”

Kay notes that the attackers used several measures to help the emails bypass security filters. “In this particular attack combination, the black hats used both high and low tech to evade anti-phishing radar,” Kay writes. “The high tech involved newly created and freeware domains, set up to send phishing emails that would not trigger rudimentary email defenses (i.e., DMARC analysis of DKIM and SPF records).

The low tech was a simple PDF attachment with no poison links or malware in either the attachment or the email itself. These elements were designed expressly to not trigger anti-phishing analysis.”

Kay concludes that users should be suspicious of unsolicited emails like this, especially if they appear to come from major companies.

“Recipients should be aware that large enterprises like Pfizer do not typically send out cold emails to solicit bids for projects,” Kay says. “If a recipient is in a sales department and does business with Pfizer (or, in a similar situation, any other company), they should get in touch with their contact directly by telephone or an initiated email to determine whether the RFQ is legitimate.

It is also highly unlikely that a Pfizer employee would use a freemail account for official business.” New–school security awareness training can give your organization an essential layer of defense by enabling your employees to spot phishing emails that slip past your technical defenses.

Blog post with links:
https://blog.knowbe4.com/phishing-campaign-impersonates-pfizer
Customized Links in SMS Scam Campaign Bring in 80Mil a Month

Researchers at Group-IB warn that phishing campaigns are using targeted links that are tailored to each target. Group-IB first observed this technique being used in a scam that offers users free prizes if they take a survey, but the researchers note that these targeted links have been used to impersonate more than 120 brands.

The researchers estimate that victims are losing up to $80 million per month to these scams. “The mass SMS sending, and the waves of messages in messengers and emails were replaced by the so-called personal approach,” the researchers write.

“Now, threat actors generate a unique targeted link customized for their victim, which utilizes the potential victim's unique parameters (country, time zone, language, IP, browser, and etc.) to display the relevant content on the scam page.

The targeted link most frequently leads to the website with the notorious surveys, which, however, now are tailored for the user. Even if a user suspects anything wrong in time, the targeted link cannot be blocked, as it's customized.

Scammers create a targeted link customized for a specific user so that it doesn't display any content to those who attempt to follow it without specific cookies. But first things first, let's check how the fraudulent scheme works, what risks it entails and how one can protect against it.”

The researchers explain that the attackers have used a variety of technical measures to ensure that their links avoid suspicion. “The analysis showed that the scammers used all the available tools to distribute the malicious link: contextual advertising, advertising on legal and completely illegal sites, SMS, mailouts, and buying domains that sound like the original ones,” Group-IB says.

“Adding links to the calendar and posts on social networks, which were trendy at that time, were less common. The mail outs and SMS almost always contained a short link, which had information about a customer motivation program, where the user could win an expensive device.”

The attackers also relied on “traffic cloaking,” which helps hide malicious content from untargeted devices. “Next, the scammers resorted to the so-called traffic cloaking,” Group-IB says. “This is a popular way of distributing traffic, where one user sees legitimate content and the other semi-legitimate or illegal content depending on the redirection conditions (IP, language, device).

Legitimate content is completely unremarkable and does not pose any threat. It does not raise any questions from advertisers or providers. Semi-legitimate and illegal content, on the other hand, violate advertising distribution rules and pose a great threat to users, especially the inattentive ones.”
You Can Now Be a Certified Security Awareness and Culture Professional (SACP)™

Your organization's cyber threat landscape is changing lightning fast. So, your security awareness skills need to stay razor sharp, and are increasingly viewed as critical to protect your organization from human error.

You can now be a leader in the security awareness and culture profession. Earn H Layer’s Security Awareness and Culture Professional (SACP)™ credential and demonstrate your competency to design and lead security awareness programs that build a sustained security-awareness culture.

Your Security Awareness and Culture Professional (SACP)™ credential is the only independent, vendor-neutral certification designed specifically for the newest in-demand job roles in security awareness.

Learn more about the SACP Exam. Check out the requirements. Don't wait. Apply today and become one of the first professionals to earn your SACP Certification:
https://www.thehlayer.com/about-exam/
What KnowBe4 Customers Say

"Good afternoon Mr. Sjouwerman; I would like to take a moment and thank you for employing such considerate and knowledgeable employees such as Alicia. We have been using KnowBe4 services for many years now and we would like to pass on our satisfaction to you. Working with Alicia has been, and continues to be a pleasure. Thank you for the great service, and please stay safe during the holidays."
- S.M., IT Support Manager



"I am a current customer. We are currently at our 6-month review, and I thought it would be appropriate to let you know how it is going from a customer perspective. As Michael knows I can make a short story long, so I’ll attempt to summarize and just say Michael and by extension Knowbe4 has been knocking it out of the park for us.

In our last meeting I said I feel like I produce one off or abnormal requests and Michael seemingly already has the answers. I can say that I will absolutely be recommending a renewal with Knowbe4 to my manager at the end of our contract based on this experience and hope to retain Michael as our account manager for the foreseeable future.

You have certainly won over a long-time skeptical security engineer and enabled my company to make smarter security decisions. Thank you for your time and have a happy holiday ahead."
- S.W., Principal Security Engineer


The 10 Interesting News Items This Week
    1. Four Out of Five Organizations Are Increasing Cybersecurity Budgets for 2022:
      https://www.darkreading.com/operations/four-out-of-five-organizations-are-increasing-cybersecurity-budgets-for-2022

    2. Top 10 cyber security stories of 2021:
      https://www.computerweekly.com/news/252510738/Top-10-cyber-security-stories-of-2021/

    3. Ransomware Study Two Thirds of Security Professionals Believe Ransomware and Terrorism Threats Are Equal:
      https://aithority.com/security/ransomware-study-two-thirds-of-security-professionals-believe-ransomware-and-terrorism-threats-are-equal/

    4. When a deepfake “empire” continues to grow:
      https://blog.malwarebytes.com/privacy-2/2021/12/when-a-deepfake-empire-continues-to-grow/

    5. A Growing Army of Hackers Helps Keep Kim Jong Un in Power:
      https://www.bloomberg.com/news/articles/2021-12-21/north-korean-army-of-cybercriminals-props-up-kim-s-nuclear-program-and-economy

    6. Insider Threats: Protecting from Within:
      https://www.infosecurity-magazine.com/opinions/insider-threats-protecting-within/

    7. Cybersecurity company identifies months-long attack on US federal commission:
      https://www.zdnet.com/article/cybersecurity-company-identifies-months-long-attack-on-us-federal-commission/

    8. Russian Hacker Extradited to US for Trading on Stolen Information:
      https://www.securityweek.com/russian-hacker-extradited-us-trading-stolen-information

    9. Mitigating Log4Shell and Other Log4j-Related Vulnerabilities:
      https://www.cisa.gov/uscert/ncas/alerts/aa21-356a/

    10. Having an Efficient Security Awareness Training Program:
      https://blog.knowbe4.com/having-an-efficient-security-awareness-training-program
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2021 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews