CyberheistNews Vol 12 #17 [EYE OPENER] "Being Annoying" as a Social Engineering Tactic

Attackers are spamming multifactor authentication (MFA) prompts in an attempt to irritate users into approving the login, Ars Technica reports.

Both criminal and nation-state actors are using this technique. Researchers at Mandiant observed the Russian state-sponsored actor Cozy Bear launching repeated MFA prompts until the user accepted the request.

Ars Technica quotes Mandiant’s researchers as saying, "Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor. The [Nobelium] threat actor took advantage of this and issued multiple MFA requests to the end user's legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account."

The Lapsus$ criminal hacking group is also making use of this method. A member of Lapsus$ said on the group's Telegram channel the technique is particularly effective late at night.

"No limit is placed on the amount of calls that can be made," the individual said. "Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device."

Ars Technica notes that there are multiple variations to this approach.

• "Sending a bunch of MFA requests and hoping the target finally accepts one to make the noise stop.
• "Sending one or two prompts per day. This method often attracts less attention, but 'there is still a good chance the target will accept the MFA request.'
• "Calling the target, pretending to be part of the company, and telling the target they need to send an MFA request as part of a company process.

New-school security awareness training teaches your employees to follow security best practices so they can avoid falling for social engineering tactics like this.

Blog post with links:
https://blog.knowbe4.com/being-annoying-as-a-social-engineering-approach

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately "flip" a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users' mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, April 27 @ 2:00 PM (ET) for a live 30-minute demonstration of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software. With PhishER you can:

• NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user's inbox.
• Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and G Suite
• Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
• Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
• Easy integration with KnowBe4's email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, April 27 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3714065/5BD9491A0AB0D7F3D6BC353B291E134C?partnerref=CHN3

The FBI has warned of a smishing campaign that's targeting people in the U.S. with phony bank fraud notifications. The text messages inform users that someone has attempted to initiate a money transfer on their account.

"The actors—who typically speak English without a discernible accent—then call the victim from a number which appears to match the financial institution's legitimate 1-800 support number, and claim to represent the institution's fraud department," the FBI says. "Once the actor establishes credibility, they walk the victim through the various steps needed to 'reverse' the fake instant payment transaction referenced in the text message.

"In these schemes, background information on the victims appears to have been well researched. In addition to knowing the victim's financial institution, the actors often had further information such as the victim's past addresses, social security number, and the last four digits of their bank accounts. This information was used to convince customers that the steps being requested of them were the financial institution's legitimate process for retrieving stolen funds."

The Bureau offers the following advice to help people avoid falling for this scam:

• "Be wary of unsolicited requests to verify account information. Cyber actors can use email addresses and phone numbers which may then appear to come from a legitimate financial institution. If a call or text is received regarding possible fraud or unauthorized transfers, do not respond directly.
• "If an unsolicited request to verify account information is received, contact the financial institution's fraud department through verified telephone numbers and email addresses on official bank websites or documentation, not through those provided in texts or emails.
• "Enable Multi Factor Authentication (MFA) for all financial accounts, and do not provide MFA codes or passwords to anyone over the phone.
• “Understand financial institutions will not ask customers to transfer funds between accounts in order to help prevent fraud.
• "Be skeptical of callers that provide personally identifiable information, such as social security numbers and past addresses, as proof of their legitimacy. The proliferation of large-scale data breaches over the last decade has supplied criminals with enormous amounts of personal data, which may be used repeatedly in a variety of scams and frauds."

Train your employees to make smarter security decisions.

Blog post with links:
https://blog.knowbe4.com/fbi-warns-of-bank-fraud-phishing-campaign

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense. Join us Wednesday, May 4 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at TWO NEW FEATURES and see how easy it is to train and phish your users.

• NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
• NEW! AI-Driven phishing and training recommendations for your end users
• Brandable Content feature gives you the option to add branded custom content to select training modules
• Did You Know? You can upload your own SCORM training modules into your account for home workers
• Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 40,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, May 4 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3713715/A497B5E485F699EE7662135628028A56?partnerref=CHN

Social media companies, particularly LinkedIn, are now the most impersonated brands in phishing campaigns, researchers at Check Point have found.

"Social media networks have now overtaken shipping, retail and technology as the category most likely to be targeted by criminal groups," the researchers write. "So far this year, LinkedIn has been related to more than half (52%) of all phishing-related attacks globally, marking the first time the social media network has reached the top of rankings.

"It represents a dramatic 44% uplift from the previous quarter, when LinkedIn was in fifth position and related to only 8% of phishing attempts. LinkedIn has now overtaken DHL as the most targeted brand, which has now fallen to second position and accounted for 14% of all phishing attempts during the quarter."

Shipping companies are still in second place, with DHL and FedEx impersonation accounting for a significant portion of phishing attacks.

"Shipping is now the second most targeted category, with threat actors continuing to take advantage of the general rise in e-commerce by targeting consumers and shipping companies directly," the researchers write. "DHL is second to LinkedIn, accounting for 14% of phishing attempts; FedEx has moved from seventh position to fifth, now accounting for 6% of all phishing attempts; and Maersk and AliExpress have entered the top ten list for the first time.

"Our report highlights one particular phishing strategy that used Maersk-branded emails to encourage the download of spoof transport documents, infecting workstations with malware." Attackers have also impersonated shipping giant Maersk with phishing emails that deliver the Agent Tesla malware.

"During the first quarter of 2022, we observed a malicious phishing email that used Maersk's branding and was trying to download the Agent Tesla RAT (Remote Access Trojan) to the user’s machine," the researchers write.

"The email which was sent from a webmail address and spoofed to appear as if it was sent from ‘Maersk Notification (service[@]maersk[.]com)', contained the subject, 'Maersk : Verify Copy for Bill of Lading XXXXXXXXX ready for verification.' The content asked to download an excel file 'Transport-Document', that would cause the system to be infected with Agent Tesla."

Get those users trained against social engineering attacks...

Blog post with links:
https://blog.knowbe4.com/linkedin-most-impersonated-brand-in-phishing-attacks

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a Saas-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, May 4 @ 1:00 PM (ET) for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!

• NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18, and more
• Vet, manage and monitor your third-party vendors' security risk requirements
• Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
• Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulation
• Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due

Date/Time: Wednesday, May 4 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3714080/886880A2B779CE5599CBD8DD39A88585?partnerref=CHN

Perry Carpenter wrote on LinkedIn: "Big news! The Security Culture Playbook was officially published yesterday. Just now got my hands on a physical copy! So many people to thank. Kai Roer, my coauthor. Jim Minatel and Wiley publishing for (once again) being a great team of folks to work with."

Amazon Blurb: "Mitigate human risk and bake security into your organization's culture from top to bottom with insights from leading experts in security awareness, behavior, and culture.

The topic of security culture is mysterious and confusing to most leaders. But it doesn't have to be. In The Security Culture Playbook, Perry Carpenter and Kai Roer, two veteran cybersecurity strategists deliver experience-driven, actionable insights into how to transform your organization's security culture and reduce human risk at every level.

This book exposes the gaps between how organizations have traditionally approached human risk and it provides security and business executives with the necessary information and tools needed to understand, measure, and improve facets of security culture across the organization."

Get your copy here:
https://www.amazon.com/Security-Culture-Playbook-Executive-Developing-ebook/dp/B09V6VWW42/

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: The More You Know, The More You Know You Don’t Know. Zero Days are skyrocketing:
https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html

PPS: A crypto hacker exploited a new algorithmic stablecoin project called Beanstalk and drained it of $182 million:
https://www.wsj.com/articles/crypto-thieves-get-bolder-by-the-heist-stealing-record-amounts-11650582598

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-17-eye-opener-being-annoying-as-a-social-engineering-tactic

Scammers are using tragic Facebook posts to make phony offers of free PlayStation 5s, according to Christopher Boyd, Lead Malware Intelligence Analyst at Malwarebytes. The posts say that the person's daughter has died, and they want to give away her brand new PS5.

"My daughter died while coming back from college last week," the post says. "She was hit by a running car, my heart bleeds everyday. I bought a PS5 for her, she never got to see it. I want to give out the PS5 for free to someone who needs it. Seeing the PS5 everyday hurts my soul."

If someone falls for the ruse, the scammer will message them and attempt to have them send money for shipping costs.

"The majority of these posts switch off replies and have interested parties message them directly," Boyd says. "They then try and convince them to pay for shipping costs upfront. Assuming the person paying is dealing with a scammer, both money and seller will drop all communication and / or vanish afterward. It's probable that some of these accounts have been compromised, so the supposed seller is likely going to have more problems once they recover their account. All things considered, there's simply too many red flags associated with this style of Facebook post."

Boyd points out that it's extremely unlikely that someone would be offering a free PS5 to strangers on Facebook, and there are a number of additional red flags that could tip people off.

"Before you offer yourself up as a potential recipient, there are some questions you should ask yourself" Boyd says. "Starting with 'why do the pictures of the unused machine show a PS5 that's clearly plugged in, and in use?' I'm not saying it's impossible for a parent to set up a PS5 for their kid. However, having set one up myself, there’s a fair bit of work involved.

"Not even accounting for system updates and other aspects of the setup routine, you also have to tie the console to a PlayStation account. This means a username, password, potential use of QR codes, and more. An even better question is 'why are completely unrelated people posting the exact same message elsewhere?'"

The way the come-on trades on a tragic story seems especially loathsome, even though the story's a fabrication, but such are the ways of social engineers. New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for social engineering scams.

Malwarebytes has the story:
https://blog.malwarebytes.com/privacy-2/2022/04/beware-tragic-my-daughter-died-facebook-posts-offering-free-ps5s/

North Korea's Lazarus Group is using social engineering attacks to target users of cryptocurrency, according to a joint advisory from the U.S. FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department.

"The U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs),” the advisory says.

"The activity described in this advisory involves social engineering of victims using a variety of communication platforms to encourage individuals to download trojanized cryptocurrency applications on Windows or macOS operating systems.

"The cyber actors then use the applications to gain access to the victim’s computer, propagate malware across the victim's network environment, and steal private keys or exploit other security gaps. These activities enable additional follow-on activities that initiate fraudulent blockchain transactions."

The threat actor is using spearphishing attacks to trick users into downloading malicious cryptocurrency apps. "Intrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often working in system administration or software development/IT operations (DevOps)—on a variety of communication platforms," the advisory says.

"The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as 'TraderTraitor.' The term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework.

"The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools.

"TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications."

North Korean threat actors are well-known for conducting financially motivated operations for their heavily sanctioned government.

CISA has the story:
https://www.cisa.gov/uscert/ncas/alerts/aa22-108a

"Stu, I wanted to personally thank you for an amazing conference this week in Orlando. You and your team did an amazing job putting on a 1st class conference. The attention to details made this conference run like a well-oiled machine. The content in the sessions was super informative and on point. Your staff was very polite, professional, and pleasant to work with from the minute I walked in the door.

I wish I could have cloned myself so I could have been in three places at once to learn more from the other sessions. Hoping that the content from the other sessions are made available. I can't thank you and your team enough for all the hard work pulling this conference off with great success. Looking forward to next year. WELL DONE SIR!"

- B.J., Sr. Head of Technology

1. Every Russian Oligarch Who Has Died Since Putin Invaded Ukraine—Full List:
   https://www.newsweek.com/every-russian-oligarch-who-has-died-since-putin-invaded-ukraine-full-list-1700022
    
2. Surprising cybersecurity weak points business owners should look out for:
   https://venturebeat.com/2022/04/17/surprising-cybersecurity-weak-points-business-owners-should-look-out-for/
    
3. Cyber Command details $236 million in new spending wish list:
   https://therecord.media/cyber-command-details-236-million-in-new-spending-wish-list/
    
4. Feds Offer $5 Million to Help Disrupt North Korean Hackers:
   https://www.govinfosecurity.com/feds-offer-5-million-to-help-disrupt-north-korean-hackers-a-18911
    
5. US officials ramp up warnings about Russian cyberattacks:
   https://thehill.com/policy/cybersecurity/3271898-us-officials-ramp-up-warnings-about-russian-cyber-attacks/
    
6. NATO Plays Cyberwar to Prep for a Real Russian Attack:
   https://gizmodo.com/nato-russia-ukraine-locked-shields-cyberattack-war-game-1848807942
    
7. Why So Many Security Experts Are Concerned About Low-Code/No-Code Apps:
   https://www.darkreading.com/dr-tech/why-so-many-security-experts-are-concerned-about-low-code-no-code-apps
    
8. Hive ransomware group ‘exceptionally aggressive,’ HHS says in warning to health sector:
   https://www.scmagazine.com/analysis/ransomware/hive-ransomware-group-exceptionally-aggressive-hhs-says-in-warning-to-health-sector
    
9. Ransomware attack causes chaos in Costa Rica government systems:
   https://apnews.com/article/russia-ukraine-technology-business-gangs-costa-rica-9b2fe3c5a1fba7aa7010eade96a086ea
    
10. Russia Is Losing a War Against Hackers Stealing Huge Amounts of Data:
    https://theintercept.com/2022/04/22/russia-hackers-leaked-data-ukraine-war/
     

• Your Virtual Vaca to Sardinia in the Mediterranean! Top 10 Places To Visit:
  https://www.youtube.com/watch?v=xKvwwo5wwSE
   
• Your Second Virtual Vacation is Swedish Lapland in gorgeous 8K. Need some space? Here goes!:
  https://www.youtube.com/watch?v=F3UAgX2HkGQ
   
• Wingsuit Flying down the Eiger, Switzerland:
  https://www.youtube.com/watch?v=WpL9GWFqGa8
   
• When Your House Has Its Own Airfield:
  https://www.youtube.com/watch?v=yDyGud7M9RA
   
• How ‘No Time To Die’ Pulled Off James Bond’s Opening Chase | Movies Insider:
  https://www.youtube.com/watch?v=q_5MJv-Jjy0
   
• The $5BN Mega Resort in the Desert:
  https://www.youtube.com/watch?v=q0b6TkhZnfQ
   
• Cat Mission Impossible - Almost no mission is impossible for this smart and agile feline:
  https://www.flixxy.com/mission-impossible-cat.htm?utm_source=4
   
• Watch a racing drone follow Tomas Slavik at the Red Bull Valparaíso Cerro Abajo 2022 Urban Mountain Bike race:
  https://www.flixxy.com/racing-drone-follows-urban-mountain-biker.htm?utm_source=4
   
• Ford v Ferrari / It's A Perfect Lap Scene:
  https://www.youtube.com/watch?v=7R6g6zL6Ukg
   
• People Are Awesome Top Gravity Defying Jumps & Stunts:
  https://www.youtube.com/watch?v=HctHsFWucVw
   
• For Da Kids #1 - Prehistoric Planet Trailer (2022):
  https://www.youtube.com/watch?v=RiSeXvUyQZQ
   
• For Da Kids #2 - Watch This Teeny-Tiny Kitten Grow Up And Get A Tiny Kitten Sister Of Her Own:
  https://www.youtube.com/watch?v=YM5UKjvXOYU
   
• For Da Kids #3 - Wild Babies | Official Trailer | Netflix:
  https://www.youtube.com/watch?v=YO6BxIN0Zuk
   
• For Da Kids #4 - Minions: The Rise of Gru | Official Trailer:
  https://www.youtube.com/watch?v=6DxjJzmYsXo
   
• For Da Kids #5 - Watch This Rescue Rooster Wake His Mom Up at 4:30 a.m.:
  https://www.youtube.com/watch?v=8XVfxbBmY7o