CyberheistNews Vol 12 #20 [Heads Up] Now You Need to Watch Out for Spoofed Vanity URLs...

Cyberheist News

CyberheistNews Vol 12 #20  |   May 17th, 2022
[Heads Up] Now You Need to Watch Out for Spoofed Vanity URLs...Stu Sjouwerman SACP

Researchers at Varonis warn that attackers are using customizable URLs (also known as vanity URLS) on SaaS services to craft more convincing phishing links. The attackers have used this technique for links created through Box, Zoom, and Google Docs and Forms.

“While vanity URLs provide a custom, easy-to-remember link, Varonis Threat Labs discovered that some applications do not validate the legitimacy of the vanity URL’s subdomain (e.g., yourcompany.example[.]com), but instead only validate the URI (e.g., /s/1234),” the researchers write.

“As a result, threat actors can use their own SaaS accounts to generate links to malicious content (files, folders, landing pages, forms, etc.) that appears to be hosted by your company’s sanctioned SaaS account. Achieving this is as easy as changing the subdomain in the link.

“These spoofed URLs can be used for phishing campaigns, social engineering attacks, reputation attacks, and malware distribution.” The researchers explain that this technique can fool security technologies as well as humans.

CONTINUED at the KnowBe4 blog with links and an INFOGRAPHIC about ROGUE URLS you can share with your users:

[New PhishER Feature] Turn the Tables on the Cybercriminals with PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately “flip” a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users’ mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, May 18 @ 2:00 PM (ET), for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software. With PhishER you can:

  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox.
  • Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and Google Workspace
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, May 18 @ 2:00 PM (ET)

Save My Spot!

Wave of Crypto Muggings Hits London's Financial District


Criminals in London are targeting digital currency investors on the street in a wave of “crypto muggings,” with victims reporting that thousands of pounds were stolen from their crypto wallets after their mobile phones had been forcibly taken.

City of London police provided The Guardian with several crime reports detailing how thieves have been able to take cryptocurrency by using both physical muscle and digital prowess. Here are a few examples of the incidents from those reports according to The Guardian:

  • A victim ordering an Uber near Liverpool Street station had muggers forced them to hand over their phone. He ended up getting the phone back, but by then the damage had been done. While the gang eventually gave the phone back, £5,000-worth of ethereum digital currency was missing from their Coinbase account.
  • A man was approached by a group of people offering to sell him cocaine and he willingly went down an alley with them to do the deal. The men said they were typing a number into his phone but in reality they went to his cryptocurrency account, and forcibly made him unlock the app with facial verification. They transferred £6,000-worth of ripple, another digital currency, out of his account.
  • A third victim said he was vomiting under a bridge when a mugger forced him to unlock his phone using a fingerprint, then changed his security settings and stole £28,700, including cryptocurrency.
  • In another case, a victim was using his phone in the pub and believes thieves saw him enter his account pin. His cards and phone were pickpocketed that evening, with £10,000 later stolen from his account.
  • A student in Kent claimed last year that eight people stormed his university accommodation and forced him to transfer £68,000 of bitcoin at knifepoint.
  • Later that year, the American technology entrepreneur Zaryn Dentzel told police he had been attacked at home in Madrid by masked thieves. He said they tortured him with a knife and stun gun before disappearing with millions of euros in bitcoin.

CONTINUED at the KnowBe4 Blog:

Log4j - Kevin Mitnick Explains One of the Most Serious Vulnerabilities in the Last Decade

The Log4j vulnerability caused widespread panic for IT professionals when it was uncovered. Sleepless nights followed for many. But a shortage of time and manpower has left this vulnerability wide open in many organizations. Is your organization one of them?

In this on-demand webinar, Kevin Mitnick, KnowBe4's Chief Hacking Officer and The World's Most Famous Hacker, and Colin Murphy, KnowBe4's Chief Information Officer, share their experience with the Log4j vulnerability. Hear their first-hand accounts of testing network environments with this incredibly easy hack.

In less than 30 minutes, you'll learn:

  • Real life examples of this bug bounty bonanza
  • Potential consequences of these attacks
  • Remediation - blocking the perimeter is not enough
  • The future for this class of exploits

Plus, you’ll see a mind-blowing demo showing how easy it is to hack this exploit. The implications of this vulnerability are nearly infinite. Learn how you can protect your organization from this dangerous threat now!

Watch Now!

Report of 450% Increase SEO in Phishing

Researchers at Netskope have observed a 450% increase in phishing downloads over the past twelve months, largely driven by attackers using SEO to improve the search engine ranking of malicious sites. Most of these downloads were malware-laden PDF files.

“The top web referrer categories contained some categories traditionally associated with malware, particularly shareware/freeware, but were dominated by more unconventional categories,” Netskope says. “The ascension of the use of search engines to deliver malware over the past 12 months provides insight into how adept some attackers have become at SEO.

“Malware downloads referred by search engines were predominantly malicious PDF files, including many malicious fake CAPTCHAs that redirected users to phishing, spam, scam, and malware websites.”

Additionally, the researchers found that attackers are increasingly hosting their malware in the regions they’re targeting, which improves their chances of success.

“The report also found that most malware over the past 12 months was downloaded from within the same region as its victim, a growing trend that points to the increasing sophistication of cybercriminals, which more frequently stage malware to avoid geofencing filters and other traditional prevention measures,” Netskope says.

CONTINUED with links at the KnowBe4 blog:

Re-Check Your Email Attack Surface Now. (We Are Always Adding New Breaches)

Your users are your largest attack surface. Data breaches are getting larger and more frequent. Cybercriminals are getting smarter every year. Add it all up and your organization's risk skyrockets with the amount of your users' credentials that are exposed.

It's time to re-check your email attack surface.

Find out your current email attack surface now with KnowBe4’s Email Exposure Check Pro. EEC Pro identifies your at-risk users by crawling business social media information and now also thousands of breach databases.

EEC Pro leverages one of the largest and most up-to-date breach data sources to help you find even more of your users’ compromised accounts that have been exposed in the most recent data breaches - fast.

Do this complimentary test now!

Get your EEC Pro Report in less than five minutes. It’s often an eye-opening discovery. You are probably not going to like the results...

Get Your Report

Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard

Some good news for a change. It is rare that these three 800-pounders are all supporting the same security standard, but here we are:

"In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.

"The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.

"The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN.

"This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS."

Here is the full press release:


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: "Red Flag" - Putin Pulls Russian FSB Spy Agency Out of Ukraine and Replaces it With Mil Int GRU:

PPS: Master of Agitprop: Vladimir Putin blames West for war in Ukraine in Victory Day speech:


Vladimir Putin, "Family Man" in the NY Times:

Quotes of the Week  
"A wise man makes his own decisions, an ignorant man follows public opinion."
- Chinese Proverb

"A character in the story is asked how he went bankrupt. His reply: 'Two ways… gradually, then suddenly.'"
- A famous line from Hemingway’s The Sun Also Rises

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News
Business Email Compromise Shouldn’t Be a 43 Billion Dollar Cost of Doing Business

The FBI last week published a public service announcement updating its warnings about the continuing threat of business email compromise (BEC). The problem has reached shocking proportions: between June of 2016 and December of 2021, the Bureau counted 241,206 domestic and international incidents of business email compromise.

The “exposed dollar loss” (which includes both actual and attempted losses) is the real shocker: $43,312,749,946; more than $43 billion dollars.

At its root, BEC is a social-engineering problem. “The scam is frequently carried out when an individual compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds,” the FBI explains. Some of its variants don’t necessarily involve a direct, unauthorized transfer of funds.

The crooks also look for “Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even crypto currency wallets.”

And the problem is growing worse. “Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses.” Part of the increase may be attributable to the growing use of cryptocurrencies, which are well adapted to fast funds transfers and have a reputation for anonymity. “The IC3 has received an increased number of BEC complaints involving the use of cryptocurrency.

The public service announcement offers some suggestions businesses might follow to protect themselves. Some of them involve instituting sound policies, like using “secondary channels or two-factor authentication to verify requests for changes in account information,” or seeing to it that “the settings in employees' computers are enabled to allow full email extensions to be viewed.”

Many of them, however, are matters of training:

  • “Ensure the URL in emails is associated with the business/individual it claims to be from.
  • “Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • “Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
  • “Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender's address appears to match who it is coming from.
  • “Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.”

These, and other points, can be addressed in new-school security awareness training that can enable your employees to recognize business email compromise.

Story with links at the KnowBe4 blog:

Mustang Panda Attacks Western Countries Uses Spearphishing to Conduct Cyb

The China-based threat actor Mustang Panda is conducting spearphishing campaigns against organizations in NATO countries and Russia, as well as entities in the U.S. and Asia, according to researchers at Cisco Talos. The goal of this activity is cyberespionage.

“This attacker started attacks earlier this year where a vast majority of the lures and decoys consisted of themes related to the European Union (EU),” the researchers write. “For example, in early January 2022, we saw the attackers employ a lure that consisted of a European Commission report on state aid to Greece between 2022 and 2027.

Toward the end of January, the attackers started using a press release from the EU regarding the union's human rights priorities in 2022. The attackers also started taking advantage of publications and documents related to the degrading relations between Ukraine and Russia.

In late January, the group started spreading a lure containing PlugX that disguised itself as a report from the EU's general secretary.” The researchers note that the threat actor is using the war in Ukraine as phishbait to target certain countries.

“As recently as March 2022, we discovered a downloader pretending to be a report on the current situation along European borders with Belarus,” the researchers write. “In another instance, we observed an executable named ‘Благовещенск - Благовещенский Пограничный Отряд[dot]exe’ roughly translating to ‘Blagoveshchensk - Blagoveshchensk Border Guard Detachment[dot]exe’, a report on the border detachment to a town located on the Sino-Russian border.”

Mustang Panda has improved its malware arsenal over the past year to avoid detection. “Apart from Mustang Panda's tool of choice, PlugX, we've observed a steady increase in the use of intermediate payloads such as a variety of stagers and reverse shells,” Talos says. “The group has also continuously evolved its delivery mechanisms consisting of maldocs, shortcut files, malicious archives and more recently seen downloaders starting with 2022.

Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves.” New-school security awareness training can enable your employees to recognize targeted social engineering attacks.

Cisco Talos has the story:

What KnowBe4 Customers Say

Hi Stu, I just wanted to give a shout out for SteveD. The support he has provided since I have taken over KnowBe4 has been immediate and unbelievably helpful.

We have completely rebuilt out phishing program from the ground up that includes a unique training for our new hires as well as a veteran campaign directly for our best phish hunters.

The complexity of our smart groups is pretty impressive and I am excited to brag about this to my leadership and can honestly say we has a state of the art phishing program thanks to Steve’s help.

Please reach out to him and give him the kudos he deserves! Please also take a look at the plan we have created for this new program. Let me know if there is anything else I can do for him or you.

- L.K.. Information Security Analyst

The 10 Interesting News Items This Week
  1. With Viasat Satellite Hack Officially Attributed to Russia by U.S. and EU Allies, What Next for Satellite Security?:
  2. Hackers are exploiting popular networking gear used in most Fortune 50 companies:
  3. Colonial Pipeline Gets 1 Mil Fine for Security Failures:
  4. UK Critical Infrastructure Firms See Cyber-Attacks Surge:
  5. 10 best practices to reduce the probability of a material breach:
  6. Costa Rica declares a state of emergency as Conti ransomware cripples multiple government sites:
  7. CIA selects new CISO with deep private sector experience:
  8. Eternity malware kit offers stealer, miner, worm, ransomware tools:
  9. Hackers are using tech services companies as a 'launchpad' for attacks on customers:
  10. The Case for War Crimes Charges Against Russia’s Sandworm Hackers:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Anti-Phishing Guide ebook

Get the latest about social engineering

Subscribe to CyberheistNews