CyberheistNews Vol 12 #28 [Eye Opener] Lessons Learned From a Big Hotel's Recent Data Breach Caused by Social Engineering

Cyberheist News

CyberheistNews Vol 12 #28  |   July 12th, 2022

[Eye Opener] Lessons Learned From a Big Hotel's Recent Data Breach Caused by Social EngineeringStu Sjouwerman SACP

This week Marriott International, one of the largest hotel chains, suffered their second data breach of 2022. The attack by a group named "Group with No Name" (GNN) took place in early June and they used social engineering to trick one of the hotel employees into granting access to that associate's computer.

Luckily the data breach only affected a few hundred users, but there are some valuable lessons to be shared on how important it is to implement new-school security awareness training across your whole organization.

Monthly short training reinforcement followed by simulated phishing tests

"Organizations need to ensure that all employees are frequently educated about social engineering, receiving training at least once a month followed by simulated phishing tests, to see how well employees understood and applied the training," said Roger A. Grimes, Data-Driven Defense Evangelist at KnowBe4.

Assess your employees for their strengths and weaknesses

KnowBe4 has a 10-minute Security Awareness Proficiency Assessment, grounded in recent research, to assess your user's susceptibility to cybercrime, and more specifically, their susceptibility in relation to your organization’s cyber security needs. Learn more about proficiency and culture assessments:

Employees found to be susceptible to a particular type of social engineering attack should be required to take more and longer training until they have developed a natural instinct to recognize these types of attacks. This process can be fully automated with smart groups.

Above all: Don’t get a reputation as an easy target

This latest data breach reveals that organizations can't afford to gain a reputation as an easy target. If your org falls victim to a data breach, then there’s a high likelihood that other attackers will attempt to target you again, making the assumption that your organization has weak security controls.

A good example is a recent CyberReason report that shows that 73% of all organizations have experienced a ransomware attack in the last 12 months, and of those that were attacked, the question of paying whether the ransom was paid always comes up. But even after paying the ransom, 80% experienced a second attack and 68% were asked for a higher ransom!

The only way to avoid this predicament is to implement the latest detection and response solutions and investing in frequent security awareness training to help employees embrace security best practices and so that they become an effective last line of defense.

Here are 10 more best practices that you can use to make your organization a hard target:

  • Integrate as many of your security layers as possible into an XDR solution
  • Deploy and enforce multi-factor authentication for the maximum amount of users
  • Make sure to always have weapons-grade off-site backups in place and test your restore function regularly
  • Make sure URL filtering is tuned correctly for your next-gen Secure Email- and Web Gateways
  • Make sure your endpoints are patched, both the OS and all 3rd party apps
  • Review your internal financial security policies and procedures, to prevent CEO fraud
  • Check your firewall configuration and make sure no criminal network traffic is allowed out to C&C servers
  • Make sure your social engineering training covers multiple attack vectors, not just email
  • Work on your security budget to show it is increasingly based on measurable risk reduction
  • With any ransomware infection, nuke the infected machine(s) from orbit and re-image from bare metal

Valuable education infographics such as our Social Engineering Red Flags PDF will teach your users to identify these types of attacks.

Blog post with links:

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, July 13 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Support for QR-Code Phishing Tests
  • NEW! Security Culture Benchmarking feature lets you compare your organization’s security culture with your peers
  • NEW! AI-Driven training recommendations for your end users
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, July 13 @ 2:00 PM (ET)

Save My Spot!

[Scam of the Week] Amazon Prime Day or Amazon Crime Day? Don't Fall Victim to Phishing

As Amazon Prime Day approaches, Checkpoint research is sending a warning that Amazon Prime Day scams will ramp up very soon.

A few weeks ago we shared cybersecurity tips to stay safe from Amazon Prime Day. Make sure to give your users a heads-up that they need to think before they click. I would send your employees, friends and family something like the following. Feel free to copy/paste/edit.

"On July 12th, Amazon Prime Day will occur, and you may receive a phishing email for a good 'deal.' Please be careful with anything on anything related to Amazon Prime Day: emails, attachments, any social media, texts on your phone, anything. There will be a number of scams related to this, so please remember to think before you click!"

New-school security awareness training will ensure your users can be able to spot a suspicious phishing email of any recent current event.

Blog post with links:

See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us TOMORROW, Wednesday, July 13 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at new compliance management features we've added to make managing your compliance projects even easier!

  • NEW! Control guidance feature provides in-platform suggestions to help you create controls to meet your requirements for frameworks such as CMMC, GDPR, HIPAA, NIST, PCI, SSAE 18 and more
  • Vet, manage and monitor your third-party vendors' security risk requirements
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
  • Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulation
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met and past due

Date/Time: TOMORROW, Wednesday, July 13 @ 1:00 PM (ET)

Save My Spot!

Ransomware Gang Creates "User-Friendly" Stolen Data Search Site for Employee Victims

In an interesting extortion twist to get ransomware victims to pay up, one gang has created a search site to allow employees to see if their own private information has been made public.

Traditionally, ransomware gangs have used stolen data to extort their victim into paying the ransom. Because the data taken is in the tens of hundreds of gigabytes, the historically normal practice has been to slowly leak out the data, making it accessible to whoever decides to visit the ransomware gang's data publication site.

But, like any business model that's not working, sometimes it takes a bit of innovation and evolution of the execution to secure the desired outcome. As is the case with the newest – and, reportedly, the most sophisticated – ransomware "kid" on the block, AlphV/BlackCat ransomware.

According to BleepingComputer, this gang has shied away from the traditional extortion techniques and instead built out a relatively user-friendly website that allows employees of the victim organization to search through the stolen data to see if their personal data is included.

This technique feels like it would add some pressure onto the organization to pay to have this site taken down (in addition to the leaking of all the data, etc.).

This kind of evolution in innovative ransomware techniques (and more like it) should be expected, as ransomware isn't going anywhere anytime soon. This means your organization needs to put the necessary effort into keeping ransomware from making its’ way onto your network.

This effort should include the organization’s user base who, with the right security awareness training, can help augment your security stance and lower the likelihood that ransomware will successfully strike.

Blog post with links and screenshots:

Hacks That Bypass Multi-Factor Authentication and How to Make Your MFA Solution Phishing Resistant

The average person believes using Multi-Factor Authentication (MFA) makes them significantly less likely to be hacked. That is simply not true! Hackers can bypass 90-95% of MFA solutions much easier than you would think. Using a regular looking phishing email, they can bypass MFA just as easily as if it were a simple password.

Join Roger A. Grimes, KnowBe4’s Data-Driven Defense Evangelist, for this new webinar to learn common MFA hacking techniques and what it takes to make your MFA phishing resistant. He’ll also share a pre-filmed MFA hacking demo from Kevin Mitnick, KnowBe4’s Chief Hacking Officer.

In this webinar you'll learn:

  • Government recommendations for effective MFA
  • Characteristics that make MFA easily hackable
  • Features you should look for in a strong MFA solution
  • Which phish-resistant MFA you should be using
  • Why a strong human firewall is your best, last line of defense

Get the information you need to know now to better defend your network. And earn CPE for attending!

Date/Time: Wednesday, July 20 @ 2:00 PM (ET)

Save My Spot!

Phishing Emails Still Top the List as the Initial Attack Vector for Ransomware Attacks

The latest data on ransomware trends from backup vendor Veeam demonstrate the impact these attacks have on backups and an organization's ability to recover.

Whenever we're talking about ransomware attacks, there needs to be a discussion had about backups and an ability to be operationally resilient through recovery. But, according to Veeam's 2022 Ransomware Trends Report, organizations are not truly prepared for the sophisticated attacks they are facing.

These attacks target backups with intensity, seeking to remove your ability to recover without first paying the ransom. According to the report:

  • Backup repositories are targeted in 94% of attacks
  • These same repositories were impacted in some way in 68% of attacks
  • Attackers targeted specific system and platforms (think Windows, VMware, NAS, etc.) in 80% of attacks
  • On average, 47% of all data was encrypted
  • And for those thinking to just pay the ransom, of those organizations that paid the ransom, 31% of them still could not recover their data

And while most organizations are able to begin recovery efforts within minutes-to-hours, a whopping 93% of organizations say it took between a week to four months to be completely operational again.

So, how are these very impactful attacks gaining entrance into your network? According to the report, phishing emails, malicious links, etc. were the initial attack vector in 44% of ransomware attacks (infected software, external RDP credential spraying, insider threat, and zero day/critical vulnerabilities followed as top attack vectors).

Your protective cybersecurity strategy needs to stand toe-to-toe with threat actor’s actions. If they are using phishing, you need to be laser focused on how to stop each and every malicious email that comes in. Software solutions play a role, but so do the users interacting with their Inboxes. Those that have been enrolled in security awareness training will be far more likely to spot a phishing attack and stop it before it gains traction.

It's evident from the Veeam data, you can’t afford to have a ransomware attack hit your organization. The emphasis must be placed on stopping the attacks where they start – at the Inbox.

Blog post with links:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Fresh Content Updates from June 2022. LOTS of new goodies:"

PPS: Ammo for your c-suite by yours truly in FastCompany: "Why ransomware attacks are so successful and what your business can do to prevent them.":"

Quotes of the Week  
"I find that the harder I work, the more luck I seem to have."
- Thomas Jefferson (1743 - 1826)

"Do something wonderful, people may imitate it."
- Albert Schweitzer (1875 - 1965)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Crafty Phishing Campaign Is Targeting TrustWallet With Impersonation Emails

Vade Secure warns that a phishing campaign is targeting TrustWallet cryptocurrency wallet users with phony verification emails.

"The phishing email itself impersonates the TrustWallet brand," the researchers write. "[T]he TrustWallet logo matches TrustWallet’s official logo and includes a support link titled 'Support 2022.' Additionally, Zendesk's legitimate footer appears at the bottom of the email, giving the email an additional air of legitimacy from a known, trusted brand.

"The phishing email informs the user that their wallet must be verified due to an NFT update. Failing to verify the wallets, the email warns, will result in account suspension. The user is encouraged to verify their account by June 15 by clicking on a phishing link with the CTA 'Verify your wallet.'

"After clicking the link, the user is taken to a convincingly spoofed TrustWallet page that asks them for their recovery phrase.

"The user is asked to enter their recovery phrase to unlock their wallet," the researchers write. "Most cryptocurrency wallets use 12-word recovery phrases, but in some cases, they may use 24. The phisher has considered this and includes a button to click if the user does in fact use a 24-word recovery phrase.

"This technique accomplishes two things: First, it makes the phishing page seem more legitimate in the eyes of the user because it has covered both scenarios. Second, the phishing page can accept credentials from either 12- or 24-word recovery phrases, widening the scope of the phishing campaign."

The researchers conclude that users need to be wary of messages like this, even if the email address appears legitimate. "While inspecting the sender email address is an important step in scrutinizing an email for signs of email spoofing in phishing, it is not always enough to recognize an attack," Vade says.

"As is the case in this TrustWallet phishing attack, the email address is a legitimate, albeit malicious Zendesk email, so inspecting the domain is not helpful in recognizing the attack."

New-school security awareness training can teach your employees to follow security best practices so they can avoid falling for social engineering attacks.

Blog post with links:

New Phishing Campaign Impersonates Canada Revenue Agency

A phishing campaign is impersonating the Canada Revenue Agency (CRA) in an attempt to steal Canadians’ personal information, according to Rene Holt at ESET. The phishing emails inform users that they’ve received a tax refund of just under CAD$500.

The user is directed to click on a link to a spoofed Government of Canada site. "Understanding how phishers abuse links in emails, the CRA has taken the wise strategy of not providing links in official correspondence and instead instructing clients to navigate on their own to the official website," Holt writes.

"If, however, you do click on the 'Interac e-Transfer Autodeposit' button, you are redirected from a malicious link hosted on istandyjeno[.]hu to the malicious subfolder cra_ca_service hosted on oraclehomes[.]com." While the phishing page is a convincing replica, users could recognize the site as a scam if they tried to visit other pages.

"Clicking on 'Jobs' simply populates the URL with the value of the id attribute of the HTML element for 'Jobs,'" Holt says. "Next, if you click on the 'Proceed' button on the opening page, the next page asks for your personal information, including your social insurance number, date of birth, and mother’s maiden name – indeed, everything a phisher would need for identity theft."

Hoult offers the following recommendations for users to avoid falling for these scams:

  • "Consider whether the purported sender normally communicates via email in this way.
  • "Rather than clicking on links in an email, it is better to navigate manually to the official website of the apparent sender.
  • "Check for obvious mistakes in the email. For example, why would the Canada Revenue Agency send you email from
  • "Always be wary of sharing your personal and financial information with any webpage.
  • "Familiarize yourself with the CRA scam alerts page, especially with the samples of fraudulent emails impersonating the CRA."

New-school security awareness training can give your employees a healthy sense of skepticism so they can recognize these types of social engineering attacks.

Blog post with links:

What KnowBe4 Customers Say

"Seriously, I am loving the products that we use from Knowbe4. We are in process right now of getting everyone through what we're calling our "Initial training" campaign which will be a part of our onboarding process, we have already completed 1 phishing test and I've got another one in mind for the end of next month.

"The only thing that I'm a little disappointed about was that season 4 of "Inside man" ended on a bit of a cliffhanger.....What's Going To Happen Next? LOL.

"All teasing aside, the service that I've been getting from Cory B. has been outstanding. He's been super helpful and very patient with my idiotic questions. I know that I'm thrilled that we're working with KnowBe4, and I know that my management is equally as satisfied with what we're able to set up by using the Phishing services. Cheers!"

- L.J. - Assistant Director, Information Systems

The 10 Interesting News Items This Week
    1. FBI and MI5 Bosses Warn of "Massive" China Threat:

    1. The cryptopocalypse is nigh! NIST rolls out new encryption standards to prepare:

    1. Advanced Phishing Scams Target Middle East and Impersonate UAE Ministry of Human Resources:

    1. Weaponizing Hacktivists Seems a Logical Progression for Russia:

    1. North Korea Behind Manually Executed Ransomware Attacks, Federal Agencies Say. PDF:

    1. Fascinating Interview. Arrested Russian hacker Pavel Sitnikov looks to start a new chapter:

    1. Microsoft rolls back a default macro block in Office:

    1. [Scam of the Week] Amazon Prime Day or Amazon Crime Day? Don't Fall Victim to Phishing:

    1. North Korea Suspected of Plundering Crypto to Fund Weapons Programs:

  1. Giant data breach? Leaked personal data of one billion Chinese people has been spotted for sale on the dark web:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • WOW! See how cities around the globe have changed since 1984 through a Google Earth time-lapse video:

    • People Are Awesome is celebrating the first 6 months of 2022 with their favorite videos of the year:

    • Penn & Teller Fool Us: "PERFECT!" new John-Henry in 2022:

    • The Hoover Dam | All the Secrets of this Engineering Wonder:

    • Strapping a jet engine to a bicycle... What could go wrong?:

    • A classic working flight simulator, no computers necessary:

    • Music theory cheat poster:

    • Canada & The United States' Bizarre Border:

    • Lockpicking Lawyer Picks Electronic doorknob FAST:

    • A lap onboard with Max Verstappen and biker Fabio Wibmer in a F1 2-seater at the Red Bull Ring:

    • For Da Kids #1 - Meet Disco the incredible talking budgie:

    • For Da Kids #2 - Seal Pup As Small As A Carry On Bag Nursed Back To Health:

    • For Da Kids #3 - Alpaca Won't Leave His Sick Friend’s Side:

    • For Da Kids #4 - Norwegian Forest Cats solving a puzzle for dogs:

  • For Da Kids #5 - Puppy Brings His Favorite Toys To His Tortoise BFF Everyday:

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Cybersecurity Awareness Month Free Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews