Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    CyberheistNews Vol 12 #22 [Heads Up] The New Verizon 2022 Data Breach Investigation Report Shows Sharp Rise in Ransomware

    Cyberheist News
    CyberheistNews Vol 12 #22  |   June 1st, 2022

    [Heads Up] The New Verizon 2022 Data Breach Investigation Report Shows Sharp Rise in RansomwareStu Sjouwerman SACP

    Verizon has published its 2022 Data Breach Investigation Report, finding that ransomware rose by 13% last year (a greater increase than the previous five years combined). 82% of breaches involved the human element, which encompasses phishing, stolen credentials, misuse or error. The researchers also found that supply chain breaches were behind 62% of intrusions last year.

    "There are four key paths leading to your estate," Verizon writes, and lists them: "Credentials, Phishing, Exploiting vulnerabilities, and Botnets. All four are pervasive in all areas of the DBIR, and no organization is safe without a plan to handle each of them."

    And while the rise in ransomware features prominently in the report, Verizon notes that "ransomware by itself is, at its core, simply a model of monetizing an organization's access."

    Blog post with links:
    https://blog.knowbe4.com/ransomware-involved-in-25-percent-of-data-breaches

    [Live Demo] Ridiculously Easy Security Awareness Training and Phishing

    Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

    Join us Wednesday, June 8 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

    Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

    • NEW! Support for QR-Code Phishing Tests
    • NEW! Security Culture Benchmarking feature lets you compare your organization’s security culture with your peers
    • NEW! AI-Driven training recommendations for your end users
    • Did You Know? You can upload your own SCORM training modules into your account for home workers
    • Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

    Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

    Date/Time: Wednesday, June 8 @ 2:00 PM (ET)

    Save My Spot!
    https://event.on24.com/wcc/r/3713729/BD8F8A0FE3D2CE20F847A5BDA6B2BFDA?partnerref=CHN2

    That’s Not Actually Elon Musk

    Scammers are using deepfake videos of Elon Musk in an attempt to trick people into handing over cryptocurrency, BleepingComputer reports. The scammers set up a phony cryptocurrency platform called "BitVex" that purports to be owned by Musk. The crooks then used hacked YouTube accounts to spread deepfaked videos of Musk and other people associated with cryptocurrency to promote the platform.

    "To use the BitVex platform, users must register an account at bitvex[.]org or bitvex[.]net to access the investment platform," BleepingComputer says. "Once you log in, the site will display a dashboard where you can deposit various cryptocurrencies, select an investment plan, or withdraw your earnings. Like almost all cryptocurrency scams, the dashboard will display recent withdrawals of various cryptocurrencies to make the site appear legitimate."

    Visually speaking, the deepfake is pretty convincing. However, the voice and script are unusual enough that observant users could recognize that something is wrong. Additionally, BleepingComputer points out that there are other indicators that this is a scam.

    "While it is obvious that the interviews have been altered to simulate Elon Musk's voice to promote the BitVex trading platform, numerous other clues show that this is a scam," BleepingComputer says.

    Blog post with links:
    https://blog.knowbe4.com/thats-not-actually-elon-musk

    See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

    You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

    KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

    Join us Wednesday, June 8 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!

    • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18, and more
    • Vet, manage and monitor your third-party vendors' security risk requirements
    • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
    • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulation
    • Dashboards with automated reminders to quickly see what tasks have been completed, not met and are past due

    Date/Time: Wednesday, June 8 @ 1:00 PM (ET)

    Save My Spot!
    https://event.on24.com/wcc/r/3714144/AD2312CF5D51664B6E34DCB6118D9449?partnerref=CHN2

    Don't Just Have a Compliance Season, Have a Culture of Compliance

    By John Just, KnowBe4's Chief Learning Officer.

    "We want compliance training to be impactful like your security awareness training."

    With this sentiment, our customers have been quite clear about what they want to see from our compliance training library Compliance Plus. Our customers have gravitated to our approach of deploying engaging, ongoing, high-quality security awareness training and want to see the same for compliance topics.

    In a study from market research firm Ipsos, 80% of workers believe regular and frequent training is more important than formal workplace training, so our customers seeking a similar approach to compliance training are in good company.

    Still, other organizations treated security awareness a lot like they had been treating compliance training: roll it out once per year and just check the box so we can say we have trained people in case (really when) something happens.

    Seeking a Culture of Compliance

    The most successful organizations focus on changing behavior and ultimately the culture of organizations. This means that the training is engaging, ongoing and high quality. The goal of such training should be for employees to feel a genuine effort was made to connect with them. This is accomplished by explaining possible consequences, providing real examples, and making them connect with the organization's possible threats of non-compliance.

    Creating a culture of compliance has its own momentum and is closely tied into the overall organization's culture. It can be daunting to think about trying to make an impact, some think it impossible. But we have many customers who are doing it.

    Notice, I didn't say we are helping people or we are doing it for them, because they have to own it. We just provide assistance and materials where we can. No consultant, audit, or even training provider can make enough of a difference to make an organization have a strong culture of compliance.

    Choosing the right partners for your organization is important, but the main factor is having the will to make the changes that need to be made and putting forth the effort required to be a compliance program that is a model for best practice.

    Getting Out of the Compliance Training Rut

    Some organizations are stuck in the rut of a compliance season mentality that just says, "Let’s get this over with." We have to expect more from our training programs if we are going to get more and do the training more than once per year.

    Changing organizational culture is hard work, but it is worth it. Organizations are spending an hour or two of all of their organization’s time per year. That is no small commitment, and everything should be done to maximize this investment - including trying to make a real difference in reduction of risk and avoidance of possible negative outcomes. It is the mitigation of this risk where the ROI on your training investment comes into play.

    CONTINUED:
    https://blog.knowbe4.com/culture-of-compliance

    Understanding the Threat of NFT and Cryptocurrency Cyber Attacks and How to Defend Against Them


    A growing number of organizations worldwide are utilizing cryptocurrency for a host of investment, operational, and transactional purposes. Seemingly overnight, technologies like non-fungible tokens (NFTs) emerged and just as quickly, cybercriminals learned how to capitalize on organizations’ naivete for their own benefit.

    Are you still not sure about the ins and outs of NFTs and cryptocurrencies? Should your organization even care? The answer is YES, and we are here to help you make sense of it all. Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, as he shares what you need to know to defend yourself in this new age of Web 3.0.

    Roger will cover:

    • The business impact of NFTs and cryptocurrencies: What are they and why should you care
    • The various and increasingly popular attacks against NFT and cryptocurrencies
    • How you can best defend yourself and your organization from becoming the victim of an attack
    • The projected future of NFTs and cryptocurrencies

    Stay up-to-date on the latest technologies and their hidden threats! Plus, earn CPE for attending this event.

    Date/Time: Wednesday, June 15 @ 2:00 PM (ET)

    Save My Spot!
    https://event.on24.com/wcc/r/3808653/26F4784C86D918E01E028B0029CCD40D?partnerref=CHN

     

    Let's stay safe out there.

    Warm Regards,

    Stu Sjouwerman, SACP
    Founder and CEO
    KnowBe4, Inc.

    PS: OutHorse Your Email to Iceland's Horses. (This is just a funny ad):
    https://www.flixxy.com/outhorse-your-email-to-icelands-horses.htm?utm_source=4

    PPS: You simply GOTTA watch "Navalny" at HBO. This is the guy who social engineered his own FSB poisoners:
    https://www.hbomax.com/feature/urn:hbo:feature:GYmFp9ATv1JSBmwEAAACW

    Quotes of the Week  
    "Life is going to make a lot of demands on you – including many good things like partners, careers, hobbies, kids – but life is most fulfilling as a team sport, because we achieve more and feel better together."
    - Reid Hoffman, Vanderbilt University, 2022
    "You are going to fall down, but the world doesn't care how many times you fall down, as long as it is one fewer than the times you get back up."
    - Aaron Sorkin, Syracuse University, 2012
    "Whatever you want to do, do it now. For life is time, and time is all there is."
    - Gloria Steinem, Tufts University, 1987
    Thanks for reading CyberheistNews

    You can read CyberheistNews online at our Blog
    https://blog.knowbe4.com/cyberheistnews-vol-12-22-heads-up-the-new-verizon-2022-data-breach-investigation-report-shows-sharp-rise-in-ransomeware

    Security News
    UK Post Office Impersonation


    Researchers at Malwarebytes have spotted a phishing campaign that’s impersonating the UK postal service company Post Office with phony notifications that a delivery has been stopped due to an unpaid customs fee.

    "Half the email is taken up by a giant logo for an organization that is instantly recognizable to anyone in the UK," Malwarebytes says. "The scammers are building trust in the sender and telling users this is about a postal delivery, without writing a word. They are also piggybacking on a very familiar form of email communication.

    "Delivery companies like DHL and Royal Mail regularly bombard us with email and SMS updates about deliveries, recipients are often asked to click through to websites to track parcels, and occasionally they have to pay postage or customs fees."

    Observant users could recognize red flags in the email body, but scammers know they’ll get enough people to fall for the scam. "The spelling and grammar in the email is predictably awful, and a little weird—it looks like a bad scan by an optical character reader (OCR)," the researchers write.

    "However, despite decades of security advice highlighting poor spelling and grammar as an enormous red flag, the fact is it doesn’t seem to hurt the scammers. So while other tactics have evolved, poor English has persisted."

    The scammers have also taken steps to obscure the phishing URL by using a Google open redirect. "Users who hover their pointer over the email’s links, hoping to see if they look nefarious, will be disappointed, as they’ll just see an impenetrably-complicated URL," the researchers write.

    "A lot of emails use odd-looking and convoluted URLs, so it’s rare to see links that are obviously good or obviously bad, and these are unlikely to ring alarm bells. The only oddity that might tip off knowledgeable users is that links go to Google....This URL in the email is borrowed from a Google search results page.

    "Why? Because the links in Google search results pages are open redirects that can be used by anyone to create a google[.]com URL that will redirect to a web page of their choice. Many companies regard open redirects as a security vulnerability, but Google does not."

    New-school security awareness training can enable your employees to thwart phishing and other types of social engineering attacks.

    Malwarebytes has the story:
    https://blog.malwarebytes.com/scams/2022/05/if-you-get-an-email-saying-item-stopped-due-to-unpaid-customs-fee-its-a-fake/

    New Phishing Attack Uses Malicious Chatbot for Real Time Social Engineering


    Researchers at Trustwave have observed a phishing campaign that uses a chatbot to add legitimacy to the scam. The chatbot is on a harmless website and is designed to convince the user to visit the phishing site by striking up a conversation and walking the victim through the process.

    "In general, using chatbots adds an interactive component to a website," the researchers write. "This often results in a higher conversion rate because it makes the site more interesting and engaging for the users. This is what the perpetrators of this phishing campaign are trying to capitalize on.

    "Aside from spoofing the target brand on the phishing email and website, the chatbot-like component slowly lures the victim to the actual phishing pages. Also, the addition of fake OTP and CAPTCHA pages makes the phishing website seem more legitimate."

    The scammers impersonate DHL and attempt to convince the user that their delivery address has been lost. The phishing page asks the user to enter their email address, password, and credit card details in order to update their delivery details.

    "The credit card page has some input validation methods," the researchers write. "One is card number validation, wherein it tries to not only check the validity of the card number but also determine the type of card the victim has inputted.

    "Once the victim fills out the form, clicking the ‘PAY NOW’ button will redirect the victim to a loading page, which after a few seconds will then redirect to an OTP (One-Time Password) page. The OTP is automatically generated characters (numeric or alphanumeric) which are usually sent to the user’s registered mobile number. This serves as another layer of user authentication for a single transaction or session."

    Despite the effort put into the chatbot, the researchers note that this scam is still delivered via email, and users could recognize red flags in the phishing message itself. New-school security awareness training can enable your employees to thwart innovative phishing attacks.

    Blog post with links:
    https://blog.knowbe4.com/phishing-with-chatbot-social-engineering

    What KnowBe4 Customers Say

    "We just sent out our first Cybersecurity training campaign and are scheduling our first Compliance training for June. I have been very impressed with the quality of the training content and the functionality of the system.

    "We are happy to be one of KnowBe4's partners.

    "I would like to point out our Customer Success Manager, EricA, is fantastic! He is always available and is extremely patient as I and our HR Manager are learning the system. Thanks for reaching out."

    - G.R., COO

     
    "Hi Stu, We are incredibly satisfied. The baseline test was an eye opener for a lot of folks. We have had mostly positive feedback from the Mitnick training and several of our staff members said this type of training would be beneficial to our clients and staff's family members. I am interested to see how our results go for the next testing phase.

    "We actually had several outside phishing attempts right after the baseline test was revealed, and the staff reported quite a few emails that turned out to be phishing. So I think even before the initial training completes our agency is in a better place of awareness than before!"

    - M.C., Operations Project Coordinator

    The 10 Interesting News Items This Week
    1. Human error tops causes of data breaches, says new 2022 Verizon report:
      https://www.itworldcanada.com/article/human-error-tops-causes-of-data-breaches-says-verizon-report/485343

    2. Interpol arrests alleged leader of the SilverTerrier BEC gang:
      https://www.bleepingcomputer.com/news/security/interpol-arrests-alleged-leader-of-the-silverterrier-bec-gang/

    3. Messages Sent Through Zoom Can Expose People to Cyber-Attack:
      https://www.infosecurity-magazine.com/news/messages-zoom-expose-cyberattack/

    4. CLOP Ransomware Activity Spiked in April:
      https://www.darkreading.com/threat-intelligence/clop-ransomware-activity-spiked-in-april

    5. Beijing needs the ability to 'destroy' Starlink, say Chinese researchers:
      https://www.theregister.com/2022/05/25/beijing_starlink_takedown/

    6. Hackers target Russian govt with fake Windows updates pushing RATs:
      https://blog.malwarebytes.com/malwarebytes-news/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion/

    7. Cyberattacks against UK CNI increase amidst Russia-Ukraine war:
      https://www.intelligentciso.com/2022/05/26/cyberattacks-against-uk-cni-increase-amidst-russia-ukraine-war/

    8. This Russian botnet does far more than DDoS attacks - and on a massive scale:
      https://www.zdnet.com/article/russian-fronton-botnet-spreads-misinformation-on-a-massive-scale/

    9. Nation-state malware could become a commodity on dark web soon, Interpol warns:
      https://securityaffairs.co/wordpress/131618/cyber-crime/nation-state-malware-dark-web.html

    10. Greenland says health services 'severely limited' after cyberattack:
      https://therecord.media/greenland-cyberattack-healthcare-systems/

    Cyberheist 'Fave' Links
    This Week's Links We Like, Tips, Hints and Fun Stuff

     

    Return To KnowBe4 Security Blog

    Topics: Cybercrime, KnowBe4

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews