CyberheistNews Vol 12 #19 [Heads Up] There is a New Type of Phishing Campaign Using Simple Email Templates

Tricky SMTP Relay Email Spoofing. Man Convicted For 23M Phishing Scam.
Email not displaying? | View Knowbe4 Blog
Cyberheist News

CyberheistNews Vol 12 #19  |  May 10th, 2022

[Heads Up] There is a New Type of Phishing Campaign Using Simple Email TemplatesStu Sjouwerman SACP

A phishing campaign is using short, terse emails to trick people into visiting a credential-harvesting site, according to Paul Ducklin at Naked Security. The email informs recipients that two incoming messages were returned to the sender and directs the user to visit a link in order to view the messages. Since the emails are so short, the scammers avoid risking typos or grammatical errors that could have tipped off the recipient.

The phishing link has the appearance of a direct URL to sophos[dot]com, but it’s actually a hyperlink that leads to a different site. The phishing site is also very simple, with just a login prompt and a title that says “User Control Panel.”

Ducklin notes that the scammers may have taken the simplicity too far at this point, as the phishing site doesn’t attempt to impersonate any brand. Ducklin offers the following advice to help people avoid falling for these attacks:

  • “Don’t click ‘helpful’ links in emails or other messages. Learn in advance how to find error messages and other mail delivery information in your webmail service via the webmail interface itself, so you can simply login as usual and then access the needed pages directly. Do the same for the social networks and content delivery sites you use. If you already know the right URL to use, you never need to rely on any links in emails, whether those emails are real or fake.
  • “Think before you click. The email above isn’t glaringly false, so you might be inclined to click the link, especially if you’re in a hurry (though see point 1 about learning how to avoid click-throughs in the first place). But if you do click through by mistake, take a few seconds to stop and double-check the site details, which would make it clear you were in the wrong place.
  • Use a password manager if you can. Password managers prevent you from putting the right password into the wrong site, because they can’t suggest a password for a site they’ve never seen before.
  • “Report suspicious emails to your own IT team. Even if you’re a small business, make sure all your staff know where to submit suspicious email samples (e.g. cybersec911@example[.]com). Crooks rarely send just one phishing email to one employee, and they rarely give up if their first attempt fails. The sooner someone raises the alarm, the sooner you can warn everyone else.”

New-school security awareness training teaches your employees to follow security best practices so they can avoid falling for phishing attacks.

Blog post with links:

[TOMORROW] 10 of the Craziest Cyberattacks Seen In the Wild and How You Can Avoid Them

It feels like we hear about a new devastating cyberattack in the news every day. And attack methods seem to be proliferating at an exponential rate. So, which tactics should you be aware of beyond standard “click and infect” attack vectors?

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist and popular cybersecurity author, for this eye-opening webinar. Roger will share his take on several significant, advanced, and yes, crazy cyberattacks he’s seen in the wild. Plus, he’ll share defensive strategies you’ll want to implement to prevent them from affecting your network.

You’ll see examples of 10 amazing hacks showing how:

  • Your users’ passwords can be cracked in mere minutes
  • Cybercriminals easily bypass multi-factor authentication
  • Automated malware can devastate your network
  • Hackers can completely take over your network with a few simple steps
  • And more!

Find out what you can do to mitigate these advanced hacking techniques instead of becoming the next unknowing victim. And earn CPE for attending!

Date/Time: TOMORROW, Wednesday, May 11 @ 2:00 PM (ET)

Save My Spot!

Now This Is a Tricky SMTP Relay Email Spoofing Technique

Researchers at Avanan have observed a surge in phishing emails that abuse a flaw in SMTP relay services to bypass email security filters.

"An SMTP relay service can be a valuable service for organizations that like to send out mass emails," the researchers explain. "Essentially, businesses use SMTP relay services--of which there are many-- to send marketing messages to a vast database of users without being blocklisted.

"Utilizing trusted SMTP relay services ensures messages get delivered. Many organizations offer this service. Gmail does as well, with the ability to route outgoing non-Gmail messages through Google."

Attackers can use this feature in Gmail to impersonate legitimate Gmail tenants, making their phishing emails more likely to go undetected by security technologies.

"However, these relay services have a flaw," Avanan says. "Within Gmail, any Gmail tenant can use it to spoof any other Gmail tenant. That means that a hacker can use the service to easily spoof legitimate brands and send out phishing and malware campaigns.

"When the security service sees avanan[.]com coming into the inbox, and it’s a real IP address from Gmail’s IP, it starts to look more legitimate.... Phishingemail@phishing[.]com wouldn’t want to send their email from that domain.

"They would want the legitimacy of a major brand. So, using this service, they instead send their email from, say, paypal[.]com (assuming paypal uses Gmail). Email scanners see that it’s coming from Gmail’s trusted relay service–and for good measure, often a trusted brand–and it sails right through to the inbox."

The researchers warn that attackers have increasingly adopted this technique over the past month. "Starting in April 2022, Avanan researchers have seen a massive uptick of these SMTP Relay Service Exploit attacks in the wild, as threat actors use this service to spoof any other Gmail tenant and begin sending out phishing emails that look legitimate," Avanan says.

Blog post with links:

[New PhishER Feature] Turn the Tables on the Cybercriminals with PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately “flip” a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users’ mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us Wednesday, May 18 @ 2:00 PM (ET), for a 30-minute live product demonstration of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software. With PhishER you can:

  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox.
  • Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and Google Workspace
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!

Date/Time: Wednesday, May 18 @ 2:00 PM (ET)

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Save My Spot!

Man Convicted for $23 Million Phishing Scam Against the U.S. DoD

A man in California has been convicted for stealing $23.5 million from the U.S. Department of Defense in a phishing attack. The Justice Department explained in a press release that the man, Sercan Oyuntur, hijacked payments meant for a jet fuel supplier.

“A corporation that had a contract with the DoD to supply jet fuel to troops operating in southeast Asia employed an individual in New Jersey, who was responsible for communicating with the federal government on behalf of the corporation through a government computer system,” the Justice Department says.

“Through a complex phishing scheme, Oyuntur and criminal conspirators in Germany, Turkey, and New Jersey targeted the corporation and the individual so that the conspirators could steal money that DoD intended to pay to the corporation for providing jet fuel.”

Oyuntur worked with others to set up a complex phishing operation to steal the funds.


Are Your Users' Passwords... P@ssw0rd?

Are your users' passwords…P@ssw0rd? Verizon's Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords.

Employees are the weakest link in your network security, using weak passwords and falling for phishing and social engineering attacks.

KnowBe4's complimentary Weak Password Test checks your Active Directory for 10 different types of weak password related threats and reports any fails so that you can take action.

This will take you five minutes and may give you some insights you never expected!

Find your weak passwords:

[USEFUL] CyberWire Launches CISA Cybersecurity Alerts

A first-of-its-kind public service audio feed for urgent threat advisories

The CyberWire announced the launch of its new podcast, CISA Cybersecurity Alerts, a first-of-its-kind public service audio feed for urgent cybersecurity advisories.

The alerts, produced by the Cybersecurity and Infrastructure Security Agency (CISA) with other government organizations, and adapted to audio by the CyberWire, provide urgent information about cyber threats, vulnerabilities and exploits.

The audio alerts are a stand-alone feed that subscribers can find wherever they get their podcasts, and are also shared via the CyberWire's flagship CyberWire Daily podcast feed. The CISA Cybersecurity Alerts podcast is a public service, funded by the CyberWire, entirely free of advertising or sponsorship.

“As the nation’s cyber defense agency, CISA supports network defenders by providing resources, tools, and timely, actionable alerts and advisories,” said CISA Director Jen Easterly. “Sharing this critical information as broadly as possible and with expanded accessibility helps to secure both private and public sector networks, and build resilience.”

Here is her tweet:


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Fresh Content Updates from April 2022:

PPS: Steve Morgan's latest book! "Hacker's Movie Guide: The Complete List of Hacker and Cybersecurity Movies" with Foreword by Steve Wozniak, co-founder of Apple:

Quotes of the Week
"Change your life today. Don't gamble on the future, act now, without delay."
- Simone de Beauvoir - Philosopher (1908 - 1986)

"Love is that condition in which the happiness of another person is essential to your own."
- Robert A. Heinlein - Writer (1907 - 1988)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Blue Badge Phishing Campaign Targets Verified Twitter Users

Researchers at Trend Micro warn of a phishing campaign targeting verified users on Twitter with phony copyright infringement claims. Verified accounts (denoted by a blue checkmark next to the user’s name) are valuable to scammers because these accounts typically have many followers and are trusted by Twitter users.

The messages state, "Hi Dear User, Copyright infringement was detected in one of the tweets on your account. If you think copyright infringement is wrong, you need to provide feedback. Otherwise, your account will be closed within 48 hours. You can gice [sic] feedback at the link below. Thank you for your understanding."

If the user clicks the link in the message, they’ll be taken to a spoofed Twitter login page designed to steal their login credentials as well as their multifactor authentication code.

Verified users may be more likely to click the link because they don’t want to lose access to their accounts. "These messages and emails are NOT legit," the researchers stress. "The scammers’ goal is to steal your account credentials.

"They lie to you, saying that your account will be deleted if you don’t take action immediately. They prompt you to click on the attached links to submit feedback or file a report. Don’t fall for it! If you do as instructed and click on a malicious link, you will be taken to a fake Twitter log-in page that is designed to steal your account information."

Trend Micro offers the following recommendations for users to avoid falling for these attacks:

  • "Know that Twitter will never ask you for your log-in credentials via direct message.
  • "Reach out directly to Twitter Support for help if you think there are issues with your account.
  • "Verify that links are safe before clicking on them. Does the URL look suspicious?
  • "Be extra cautious of links or buttons in direct messages or emails — even if they were sent by verified accounts."

The messages are implausible: clumsy and marked with the usual misspellings and eccentric usage, but they’re representative of what the criminals are attempting. New-school security awareness training enables your employees to recognize phishing and other social engineering attacks.

Trend Micro has the story:

Cozy Bear Goes Typosquatting

Researchers at Recorded Future’s Insikt Group warn that the Russian threat actor NOBELIUM (also known as APT29 or Cozy Bear) is using typosquatting domains to target the news and media industries with phishing pages.

"From mid-2021 onwards, Recorded Future’s midpoint collection revealed a steady rise in the use of NOBELIUM infrastructure tracked by Insikt Group as SOLARDEFLECTION, which encompasses command and control (C2) infrastructure," the researchers write.

"In this report, we highlight trends observed by Insikt Group while monitoring SOLARDEFLECTION infrastructure and the recurring use of typosquat domains by its operators. A key factor we have observed from NOBELIUM operators involved in threat activity is a reliance on domains that emulate other brands (some legitimate and some that are likely fictitious businesses).

"Domain registrations and typosquats can enable spearphishing campaigns or redirects that pose a threat to victim networks and brands." Recorded Future notes that the threat actor is effectively imitating the targeted companies.

"Analysis of recent and historical domains attributed to NOBELIUM broadly demonstrates the group’s familiarity with, and tendency to emulate, a variety of media, news and technology providers," the researchers write. “The group has abused dynamic DNS resolution to construct and resolve to randomly generated subdomains for its C2s or root domains to mislead victims.

"The key aspect to these attacks is the use of either email addresses or URLs that look similar to the domain of a legitimate organization. Potentially harmful domain registrations and typosquats can enable spearphishing campaigns or redirects that pose an elevated risk to a company’s brand or employees."

The researchers add that spearphishing is a common technique used by both criminal and nation-state threat actors. "A successful spearphish is dependent on factors such as the quality of the message, the credibility of the sender address, and, in the case of a redirecting URL, the credibility of the domain name," the researchers write.

"Insikt Group has previously observed other Russian nexus groups using typosquatting in support of operations, such as those aimed at the 2020 presidential elections, to increase confidence in the validity of the fraudulent login portal used to harvest victim credentials. This tactic has also been reported recently in open sources in connection with intrusions targeting entities in Ukraine, likely in support of Russia’s invasion of the country."

Recorded Future has the story:

What KnowBe4 Customers Say

"Hi Stu, thanks for reaching out and asking about our results. We are very pleased with the product and the company and can honestly say that this has been the best onboarding journey I have ever experienced (and I have been a CIO for over 25 years!) I would not hesitate to recommend the company to my peers."

- H.S., CIO

"Hello Stu, very happy thank you. TammyS is our customer success manager and she is incredible. She knows what she is talking about, is efficient, responds quickly and an absolute joy to work with. I very much look forward to our weekly call. If we need any further technical assistance we usually have EdK assist us and he is also very friendly and helpful. Many Thanks."

- T.J., Senior Cyber Security Awareness Analyst

The 10 Interesting News Items This Week
  1. Botnet that hid for 18 months boasted some of the coolest tradecraft ever:
  2. Top Questions from CISOs on Cyber Insurance:
  3. Cyber Command sent a ‘hunt forward’ team to help Lithuania harden its systems:
  4. Chinese 'Override Panda' Hackers Resurface With New Espionage Attacks:
  5. REvil Revival: Are Ransomware Gangs Ever Really Gone?:
  6. Russia to Rent Tech-Savvy Prisoners to Corporate IT?:
  7. South Korea’s Intelligence Agency Has Joined NATO’s Cyber Defense Unit. China Isn’t Happy:
  8. U.S. sanctions Bitcoin laundering service used by North Korean hackers:
  9. White House wants nation to prepare for cryptography-breaking quantum computers:
  10. Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation:
Cyberheist 'Fave' Links

This Week's Links We Like, Tips, Hints and Fun Stuff

Copyright © 2014-2022 KnowBe4, Inc. All rights reserved.

Privacy | Legal | Terms

Don't like to click? Email opt-out requests should be sent to

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Anti-Phishing Guide ebook

Get the latest about social engineering

Subscribe to CyberheistNews