CyberheistNews Vol 12 #01 [Heads Up] New Omicron-Themed Phishing Attack is Now Running Rampant

CyberheistNews Vol 12 #01
[Heads Up] New Omicron-Themed Phishing Attack is Now Running Rampant

A mean-spirited phishing campaign is mocking victims after infecting their devices with Dridex malware, according to Lawrence Abrams at BleepingComputer.

“Over the past few weeks, one of the Dridex phishing email distributors is having fun toying with victims and researchers,” Abrams writes. “This was first seen when the threat actor began trolling security researchers by using their names combined with racist comments as malware file names and email addresses.

Earlier this week, the threat actor spammed fake employee termination letters that displayed an alert stating, ‘Merry X-Mas Dear Employees!,’ after infecting their device. In a new phishing campaign discovered by MalwareHunterTeam and 604Kuzushi, this same threat actor took it to the next level by spamming emails with a subject of ‘COVID-19 testing result’ that states the recipient was exposed to a coworker who tested positive to the Omicron COVID-19 variant.”

If the victim opens the Excel document and enables macros, their device will be infected with the Dridex banking Trojan. In a poor attempt at humor, the document will then display a popup showing the COVID-19 Funeral Assistance Helpline number.

“With the COVID-19 variant being highly contagious and rapidly spreading worldwide, phishing emails about the Omicron variant are becoming popular and are likely highly effective in distributing malware,” Abrams writes. “This is especially true if the phishing campaign pretends to be from a company's human resources department and targets employees from the same company."

And the criminals can be as dumb as they are dishonest and mean-spirited. This particular campaign can stand in as exhibit A. New-school security awareness training with simulated phishing attacks enables your employees to make smarter security decisions.

Blog post with links and screenshots:
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, January 12 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at new features and see how easy it is to train and phish your users.
  • NEW! AI-Driven phishing and training recommendations based on your users' phishing and training history
  • NEW! Brandable Content feature gives you the option to add branded custom content to select training modules
  • NEW! Security Awareness Proficiency Assessment Benchmarks let you compare your organization’s proficiency scores with other companies in your industry
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes
Find out how 40,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, January 12 @ 2:00 PM (ET)

Save My Spot!
West Virginia Healthcare Breach Traced to Phishing

Monongalia Health System in West Virginia has disclosed a data breach that exposed sensitive patient and employee information.

“Monongalia Health System, Inc., and its affiliated hospitals, Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company (collectively, ‘Mon Health’), announced that it recently investigated and addressed an email phishing incident, and is now notifying individuals, including patients, providers, employees, and contractors, whose information may have been involved,” the company said in a press release.

The organization says an attacker gained access to internal email accounts, apparently with the intention of conducting business email compromise (BEC) attacks. “On October 29, 2021, Mon Health concluded its investigation of an email phishing incident which may have resulted in unauthorized access to emails and attachments in several Mon Health email accounts,” the company stated.

“Mon Health cannot rule out the possibility that emails and attachments in the involved Mon Health email accounts containing patient, provider, employee, and contractor information may have been accessed as a result of this incident,” the company says.

Don't let this happen to you. It's a huge PITA and super expensive.

Blog post with links:
See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, January 12 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18, and more
  • Vet, manage and monitor your third-party vendors' security risk requirements
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due
Date/Time: Wednesday, January 12 @ 1:00 PM (ET)

Save My Spot!
5 Notable Obscure Phishing Scams

By Roger Grimes.

"I love that KnowBe4’s customers are among the most knowledgeable and educated people in the world in avoiding phishing scams. KnowBe4’s products help its customers to educate and test which scams a worker will easily recognize and which ones they need more education on. KnowBe4’s product helps administrators figure out exactly who needs more education and on what topics.

We know that customers who frequently educate and test their co-workers reduce cybersecurity risk lower than those that do not. As recently covered here, the best security awareness training programs educate people in the most common social engineering attacks first and best. You should make sure your security awareness training program focuses on the most likely attacks.

At the same time, it can’t hurt to sprinkle in the less common types of social engineering attacks so that people get introduced to a wide range of methods and tricks. With that thinking, here are five interesting, but more obscure, phishing scams." The blog post has examples, screenshots and links:
  • Browser Notifications
  • NFT Scam
  • Spellcaster Scam (yes)
  • Fake CNN Video
  • PayPal Family and Friends
The blog post also has a super simple graphic you can use to send to your users, with a bare bones algo they can use to determine if something is phishy:
Do Users Put Your Organization At Risk With Browser-Saved Passwords?

Cybercriminals are always looking for easy ways to hack into your network and steal your users’ credentials.

Verizon's Data Breach Investigations Report shows that attackers are increasingly successful using a combo of phishing and malware to steal user credentials. In fact, Password Dumpers takes the top malware spot making it easy for cyber criminals to find and “dump” any passwords your users save in web browsers.

Find out now if browser-saved passwords are putting your organization at risk.

KnowBe4’s Browser Password Inspector (BPI) is a complimentary IT security tool that allows you to analyze your organization’s risk associated with weak, reused, and old passwords your users save in Chrome, Firefox and Edge web browsers.

BPI checks the passwords found in the browser against active user accounts in your Active Directory. It also uses publicly available password databases to identify weak password threats and reports on affected accounts so you can take action immediately.

With Browser Password Inspector you can:
  • Search and identify any of your users that have browser-saved passwords across multiple machines and whether the same passwords are being used
  • Quickly isolate password security vulnerabilities in the browser and easily identify weak or high-risk passwords being used to access your organization’s key business systems
  • Better manage and strengthen your organization's password hygiene policies and security awareness training efforts
Get your results in a few minutes. They might make you feel like the first drop on a roller coaster!

Find Out Now:
[Eye Opener] New Phishing Research Shows 37% of Sites Had More Than a Day Downtime

More than half (55%) of phishing attacks target IT departments, according to new research commissioned by OpenText. Additionally, nearly half of survey respondents said they had fallen for a malware phishing attack.

“The most common form is a standard untargeted mass phishing attack,” the researchers write. “Nearly one in five of the respondents to the IDG survey said they either were definitely targeted by such an attack (37%) or suspect they were (42%).

Next most common is a malware attack, where the user gets an email with an attachment — usually a Microsoft Office document — that launches malware if clicked on. Among the respondents, 44% confirmed they were the victim of such an attack and 23% suspect so.”

Many respondents also said that malware phishing attacks are very hard to identify. “Malware attacks joined search engine phishing and clone phishing as the most difficult types of attacks to recognize and avoid, all cited by around one-third of the respondents,” the researchers write.

“Search engine phishing involves fake websites that show up in search engine results, including in paid ads. Often posing as some type of financial institution, the sites then entice users to enter personal information, including banking credentials.”

The report found that the consequences of phishing attacks range from data breaches, lost revenue, downtime, legal troubles, and reputational damage.

“More than a third (37%) cited exposure of sensitive data, and 32% said they’ve suffered lost productivity,” the researchers write. “One in five had suffered a loss of revenue from phishing, and nearly as many (19%) had had to pay legal or regulatory fines.

Perhaps worse, more than one-third (37%) reported that their organization had suffered downtime lasting longer than a day as a result of phishing attacks. Larger organizations (500 to 999 employees) were far more likely to report such downtime, at 44%, versus 14% for small companies (25 to 100 employees).

Larger organizations are also more likely to report negative consequences from phishing, especially exposure of sensitive data: nearly half (49%) of all the respondents from large companies, versus 35% for medium (100 to 499 employees) and 16% for small companies.”

This is actually great budget ammo. Here is the blog post with links:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Five Cognitive Biases That Can Threaten Your #Cybersecurity Efforts via @forbes:

PPS: 2022 Resolution: "I'll Be A Certified Security Awareness and Culture Professional (SACP)™":

Quotes of the Week
"The future belongs to those who believe in the beauty of their dreams."
- Eleanor Roosevelt (1884 - 1962)

"Only those who will risk going too far can possibly find out how far one can go."
- T.S. Eliot (1888 - 1965)

Thanks for reading CyberheistNews

Security News
Amazon Token Crypto 'Presale' Scam Takes Advantage of News Hype and Steals Your Real Cryptocurrency

The growing interest in new cryptocurrencies and the potential to get in early on Amazon’s supposedly forthcoming crypto has scammers taking victims for thousands of dollars.

Investing in cryptocurrency is seen by some as a legitimate means to make money on gains, as well as other crypto-financial vehicles that include staking, pooling and farming. So, it makes sense that scammers are looking for ways to rob their victims of cryptocurrency rather than risk breaking into bank accounts, using stolen credit card details, etc.

In a new crypto token scam documented by security researchers at Avast, scammers are posting ads looking like they are from legitimate news sources on the web informing the reader of a “presale” of the Amazon token “$AMZ”.

The websites used look clean and professional and don’t hint much at all that they aren’t Amazon’s. With pages that promote Prime membership benefits, a roadmap for the token, and a clear call to action to “Buy Token” (note: one of the red flags!), this scam gets “buyers” to cough up any of a number of accepted cryptocurrencies as payment.

Blog post with example screenshots:
Hacking Humans Podcast: "Keep A Constant Eye Out for Charity Scams"

People need to be cautious and do their research before donating to a charity, according to Amaya Hadnagy from Social-Engineer, LLC. On the CyberWire’s Hacking Humans podcast, Hadnagy explained that there are some warning signs to be aware of when evaluating a charity.

“So, a red flag – this one is a little hard because a lot of charities nowadays are still pretty adamant about pressuring you to donate – but a red flag is pressuring to donate immediately,” Hadnagy said. “And if they give you a sense of urgency – like, we need to get your money as fast as possible; we need your money now – that's a red flag because a legitimate charity is not going to pressure you that much and should just welcome however much you're willing to give.

Another one is only accepting payment by gift cards, cash, wire transfer. These are not legitimate ways to pay for any donations for a legitimate charity. Even if it's not like a charity, most scammers will try to get money through gift cards or wire transfer because it can be really difficult or even impossible to trace back to them.

And it's just - if you really think about it, no legitimate charity is going to be asking for gift cards.” Hadnagy pointed out that many social engineering tactics exploit emotions, and this is particularly true for charity scams.

“You think that sometimes charities are the one thing you can trust, but that's definitely not it,” Hadnagy says. “Always check your sources for anything. Do your own research. You know, empathy, just emotions in general can really move people to act without fully thinking through, even if those emotions weren't there in the first place.

So always make sure that even if you feel emotionally moved by a cause that you actually check your sources and do your research because that can lead to sending money to something that is not true at all, which can really be more harmful than we realize.”

The CyberWire has the story:
What KnowBe4 Customers Say

"I wanted to share with you my company’s experience with KnowBe4 Channel management and account management till now. I am amazed by the overall experience, with the professional channel management approach, orchestrating Customer success, account management and sales engineering.

I have been working 11 years as country manager at our company and today we are operating with major other vendors and never have I seen such an engagement and commitment.

I must express the professional approach also by Vincent, the account manager, that amazed my sales team, with a blast of info, and case studies, and demonstrated a full-blown strong knowledge with KnowBe4 advantages, and unique selling point.

If this was our experience in the last months, we are more than waiting for 2022!

From our side, I appreciate the hard dedication of our Operations manager IrinaR the one responsible for all KnowBe4 engagement in our company. Thank you Paula, Vincent and the team behind you. And Happy New Year!"
- F.B., CEO

The 10 Interesting News Items This Week
    1. How AI-powered fraud and aggressive ransomware could dominate 2022:

    2. Silent danger: One in five aged domains is malicious, risky, or unsafe:

    3. UK: Protect Your Organization by Cultivating a Culture of Cybersecurity Awareness:

    4. LastPass users warned their master passwords are potentially compromised:

    5. New Flagpro malware linked to Chinese state-backed hackers:

    6. RedLine malware shows why passwords shouldn't be saved in browsers:

    7. Cryptomining Malware Found In Spider-Man: No Way Home Torrents:

    8. Biden Signs NDAA Relying on Voluntary Private-Sector Cybersecurity Collaboration:

    9. 2022: like 2021 but more so, quicker and with greater sophistication on all sides:

    10. 2021 Social Engineering Attacks: A Look Back:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2022 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews