CyberheistNews Vol 12 #13 | Mar. 29th., 2022
The video uploaded to a hacked Ukrainian news website shows how far the technology has come, how it can be used in social engineering, and how the tech still needs to improve.
While much of the headlines today around the Russian invasion of Ukraine focus on the war on the ground and in the air, a cyberwar is being waged behind the scenes. It began with wiper ransomware attacks on Ukrainian businesses and government agencies and has culminated so far with a newly released deepfake video of Ukrainian president Zelenskyy asking his troops to lay down their weapons and surrender.
At face value, the deepfake looks pretty good, but if one is paying attention, it becomes obvious this isn’t the real president and the video can be seen for what it truly is. The use of cyber attacks – whether based on malware, social engineering, or both – is the new front lines of modern warfare.
Recently, the White House even put out a statement about how both government and private sector businesses should harden their cyber defenses immediately in light of possible cyber attacks from Russia. See the 10 Interesting News Items This Week section below.
And because the modern war is online, no business within a targeted country is safe – that's not FUD; that’s fact. We’ve historically seen cyber attacks executed in random sprays using millions of email addresses, precision-targeted attacks on specific people within one organization, and everything in between.
The deepfake video also shows how cyber attackers will use the most credible and effective means to get targeted victims of an attack to take the desired action – whether it’s laying down a weapon, clicking a link, or opening an attachment; each one can have devastating results in their own right.Blog post with links:
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, April 6 @ 2:00 PM (ET) for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at TWO NEW FEATURES and see how easy it is to train and phish your users.
- NEW! Security Culture Benchmarking feature lets you compare your organization’s security culture with your peers
- NEW! AI-Driven training recommendations for your end-users
- Brandable Content feature gives you the option to add branded custom content to select training modules
- Did You Know? You can upload your own SCORM training modules into your account for homeworkers
- Active Directory Integration to easily upload user data, eliminating the need to manage user changes manually
Find out how 40,000+ organizations have mobilized their end-users as their human firewall.
Date/Time: Wednesday, April 6 @ 2:00 PM (ET)Save My Spot!
Researchers at Avanan warn that attackers are using reCAPTCHAs on their phishing sites to avoid detection by security scanners.
"One of the main tasks of reCAPTCHA challenges–those annoying image games you have to play before proceeding to a site– is to make content inaccessible to crawlers and scanners that do not pass the verification process; therefore, the malicious nature of the target websites will not be apparent until the CAPTCHA challenge is solved," the researchers write.
"Further, because the content of this attachment is a seemingly harmless reCAPTCHA, and the mail client will not be able to solve the CAPTCHA, the email client will have no way of determining the safety of the actual attachment’s content. Adding to the challenge for scanners is that the email is being sent from a legitimate domain, in this case, a compromised university site."
Avanan explains that reCAPTCHAs also add legitimacy to the sites from a user’s point of view, since many legitimate sites use this feature.
"To the end-user, this doesn't seem like phishing but more like a nuisance," the researchers write. "Given how often the average user fills out a CAPTCHA challenge, it's not out of the ordinary. Neither are password-protected PDF documents. Plus, the PDF is hosted on a convincingly-spoofed OneDrive page, adding another veneer of legitimacy. By providing end-users with innocent enough content, and scanners with enough to be fooled, this is an effective attack for hackers to pull off."
The phishing links are distributed in emails that purport to contain a faxed document. Avanan offers the following advice for organizations to defend against these attacks:
- Encourage end-users to check URLs before filling out CAPTCHA forms.
- Ask recipients if the PDF should have been password protected.
- With a faxed document, ask the sender if they were in the office or working from home. If working from home, the odds are that they did not fax it.
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.
Join us Wednesday, April 6 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!
- NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18, and more
- Vet, manage and monitor your third-party vendors' security risk requirements
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
- Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulation
- Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due
Date/Time: Wednesday, April 6 @ 1:00 PM (ET)Save My Spot!
New data from the Anti-Phishing Working Group shows cybercriminals are stepping on the gas, focusing phishing attacks on credential theft and response-based scams.
Last quarter was a busy time for cybercriminals, according to APWG's Q4 2021 Phishing Activity Trends Report. In total, nearly 900,000 phishing attacks took place – a 23% increase over Q3 2021 and over three times that of Q1 2020. Last December saw the highest number of attacks ever recorded at just under 317,000.
According to the report, cybercriminals are shifting to more social engineering-based attacks over malware-based:
- 8% of attacks were focused on stealing credentials
- 6% of attacks were BEC attacks, gift card scams, and other response-based scams
- Only 9.6% of attacks involved the delivery of malware
The most targeted industries continue to be SaaS, Financial, eCommerce/Retail, Social Media, and Payments.
It also appears that ransomware attacks are getting more effective (which may be a result of the focus on stolen credentials), as the number of companies falling victim to these attacks rose 36% in Q4 alone and was the highest number of successful attacks in the last two years.
Phishing is not just remaining a problem for organizations today; it's an ever-growing concern that should have every business' focus as a primary source of risk. Security solutions provide solid coverage for most phishing attacks, but for that small percentage of attacks that make it to the Inbox, it's only Security Awareness Training that will be the difference between a protected organization and an enabled attack.Blog post with links:
The average compliance document is dozens to hundreds of pages long and includes numerous controls. And you're expected to meet all those controls to regulatory satisfaction. The problem with that is most organizations are forced to do "checklist security" with very little consideration given to actually improving their security stance.
Your mission, should you choose to accept it (i.e. Mission Possible), is to determine how to turn compliance into meaningful risk reduction. And luckily, Roger Grimes, KnowBe4's Data-Driven Defense Evangelist, 30-year security veteran, and former auditor is here to help!
In this on-demand webinar, Roger will help you develop a plan to prioritize these controls so you turn compliance requirements into tangible security improvements.
In this session, you will learn:
- Why compliance and security goals conflict rather than compliment
- How to ensure compliance improves your security posture
- How to create a data-driven compliance management plan
Gain the insight you need to turn compliance into a security asset.Watch the Webinar Now!
Let's stay safe out there.
Stu Sjouwerman, SACP
Founder and CEO
PS: New numbers from the FBI: Ransomware hit 649(!) critical infrastructure orgs in 2021:
- Albert Einstein
"The day the power of love overrules the love of power, the world will know peace."
- Mahatma Gandhi
Thanks for reading CyberheistNews
You can read CyberheistNews online at our Blog
New data shows phishing, social engineering, and impersonation dominate as cybercriminals are becoming more frequent and successful with their attacks.
The headlines always cover the well-known enterprise brand or government organization that succumbs to a cyberattack. But so rarely do we hear about the Small and Medium Business (SMB)– after all, hearing that Dr. Smith's tiny practice was hit and 3 people were affected isn't all that exciting a story.
But new data from Barracuda's recently-released Spear Phishing Top Threats and Trends Report shows the SMB actually is a target of attacks using social engineering tactics that reach the mailbox 3.5x more than their enterprise counterpart.
According to the data, the average number of attacks per mailbox in orgs greater than 2,000 employees is 5 per year. But in organizations with less than 100, that number more than triples to 17 per year!
Further analysis of attacks shows that the SMB is targeted with largely the same breakout of attack types:
- 49% are phishing attacks
- 40% are scams
- 9% are business email compromise attacks
- 2% are extortion attacks
- <1% are vendor email compromise (also called conversation hijacking) attacks
The fact that 3.5 times the number of social engineering attacks make it to the Inbox tells me two things:
- Defenses aren't as strong in the SMB
- SMB users need to be enrolled in Security Awareness Training to help stop attacks at the Inbox before anything malicious takes place
Blog post with links:
Scammers continue to exploit the crisis in Ukraine, according to researchers at Bitdefender. Over the past week, the researchers believe the fraudsters have adjusted their tactics in response to increased media coverage of these scams.
"Media coverage on Ukraine charity scams have taken off since the beginning of March, and increased consumer awareness of the subject has likely influenced spammers' strategies," the researchers write. "The fraudsters behind this next scam impersonate The Courage Fund, a Singapore-based charity foundation established in 2003 when the country was hit by the SARS outbreak.
"Unlike previously reported schemes which incorporated images of the Ukrainian flag next to fraudulent cryptocurrency wallet addresses, spammers behind this campaign take an alternative route - they ask recipients to contact a Gmail address.
"Once again, scammers use official data on Ukrainian casualties and refugees, and cite a couple of organizations that have publicly announced humanitarian aid and donations to help war victims."
Bitdefender observed another scam that uses legitimate-looking phishing emails. This scam is impersonating the legitimate United Help Ukraine charity, with a convincingly spoofed donation site.
"A novel approach at swindling good Samaritans was spotted by Bitdefender researchers on March 22," the researchers write. "The threat actors behind this campaign go way past any previous nickel-and-dime antics, impersonating the United Help Ukraine organization. Spammers are using IP addresses in the US to deliver this scam across Europe and North America.
"The DONATE NOW button sends recipients to a cloned version of the official United Help Ukraine Website. The fake website offers users a single donation method in the form of a crypto wallet address, and it closely resembles the official Donate page of the non-profit charitable organization."
It's common for scams to follow news, public affairs that attract general interest. It's also common for them to count on people lowering their guard out of sympathy for the story the con artists tell. New-school security awareness training can enable your employees to avoid falling for social engineering attacks in both their professional and personal lives.
Blog post with links:
"Hi Stu, I wanted to report that we are very pleased with the training and phishing service from KnowBe4. KellyL has been a great resource to help our company become more secure and aware of threats that can put our company at risk for cyberattacks. I am pleased with how Kelly makes herself available at anytime to discuss rising concerns. Thank you for reaching out. This security education program is one of the best things that we have decided to do as a non-for-profit agency. Thank you."- D.S., IT Coordinator
"Hello Mr. Sjouwerman! We purchased three new security products at about the same time including KnowBe4. We are still floundering around with the other products with their limited support, but not yours! Your implementation team got us scheduled right away for deployment, our great rep KrissyS got us stood up and functioning in just a couple of days, and the two interactions with your support staff on a couple small customizations have all been nothing short of fantastic.
"We have already run 3 automated phishing campaigns and your smart groups are automatically assigning training. I would not hesitate at all to recommend KB4 to a colleague. I'm sure you hear this all the time actually, as the product is great, and you seem to have the deployment down to a science.
Thanks for the great product and to the people who support it!"- F.J., IT Director
- [FACT SHEET] President Biden on Monday issued a general warning to US organizations that intelligence suggests a coming Russian cyber campaign:
- Russia's hybrid war with Ukraine: strategy, norms, and alliances:
- Three Times Russians Botched a War and Had a Revolution:
- FCC puts Kaspersky on security threat list, says it poses "unacceptable risk":
- WIRED: "A Mysterious Satellite Hack Has Victims Far Beyond Ukraine":
- More Conti ransomware source code leaked on Twitter out of revenge:
- Singapore IT leaders cannot identify fake messages, but only half concerned about phishing risks:
- North Korean hackers exploit Chrome zero-day weeks before patch with phishing:
- Behold, a password phishing site that can trick even savvy users:
- Is 'The Great Resignation' encouraging more cyber-threats?:
- This Week Your Virtual Vaca is in Vienna in 4K. Downright gorgeous:
- SUPER FAVE! Sky Diving With Skis From The Ultimate Chairlift:
- Famous Antarctic Shipwreck Found 'Frozen in Time':
- The GREATEST Lamborghini of all time? Chris Harris vs Lamborghini Miura in Top Gear:
- Intense Chimney Climb Followed By Crazy Base Jump:
- Did the Lock Picking Lawyer Cheat On This Tamper-Sealed Abus lock Challenge?:
- The ISS Will Crash to Earth Soon, But Why?:
- The $8 Billion Plan to Save New York's Most Hated Airport:
- A compilation of workers with amazing speed or flair. These guys are real professionals!
- Awesome adventurers showing off their amazing skills in the Alps:
- So It Appears That This $700 Million Superyacht Does Belong to Putin:
- For Da Kids #1 - SUPER KID FAVE! This Dog Goes Paragliding With His Owner And Loves it:
- For Da Kids #2 - Little Girl Makes Video To Convince Her Parents She's Ready For A Dog:
- For Da Kids #3 - Duck Flaps His Wings So Hard When He Sees His 153-Pound Dog Best Friend: