CyberheistNews Vol 12 #36 [Eye Opener] So, Your MFA Is Phishable, What to Do Next?

Cyberheist News

CyberheistNews Vol 12 #36  |   September 7th, 2022

[Eye Opener] So, Your MFA Is Phishable, What to Do Next?Stu Sjouwerman SACP

We've written a lot about multi-factor authentication (MFA) not being the Holy Grail to prevent phishing attacks, we also have an eBook on the subject, and we have several webinars on the subject including a very recent one. (links to blog below)

Most MFA is Easily Phishable

Many people are shocked when we show them how easy it is to bypass or hack most MFA solutions. In the majority of cases, it's as easy to do as phishing a password. On the blog we have a good example video demonstrating how easy it is to phish past most MFA solutions.

Use Phishing-Resistant MFA When You Can

So, our advice is to use PHISHING-RESISTANT MFA and not just ANY MFA, whenever possible. Actually, it's not just our advice. The U.S. government has been saying not to use easily phishable MFA at least since 2017. Presidential executive orders in 2021 and 2022 have again reinforced the idea that no one should be using easily phishable MFA.

Despite this, perhaps 90% to 95% of the MFA used by most people today is easily phishable. Well, the ultimate solution is to upgrade or move to phishing-resistant MFA when you can. Knowbe4's Data-Driven Defense Evangelist, Roger A. Grimes, keeps an up-to-date list of every MFA solution and type he is aware of that is phishing-resistant. Use one of those phishing-resistant MFA solutions if you can.

But if you already have a phishable MFA solution, most of the time it is not easy to replace or change to a phishing resistant form. You have what you have. Or what you use is forced upon you by a vendor or service you want to do business with. Much of the time when you have phishable MFA you can't easily upgrade or replace.

What to Do? So, what's a person or organization supposed to do if they have easily phishable MFA and can't simply change it?


No matter what type of MFA solution you have or use, easily phishable or not, there are ways to hack and get around it. Nothing is unhackable, not even the strongest, most secure form of MFA. So, the solution is to educate yourself and all other stakeholders, especially end-users, about the following topics:

  • How to correctly use the MFA solution
  • Strengths and weaknesses of the MFA solution
  • The common possible attacks for that type of MFA and how to detect and prevent
  • What to do during rogue hacking attempts (i.e., defeat and report it)
  • What MFA does and doesn’t prevent

For example, if your MFA solution is susceptible to man-in-the-middle attacks like shown earlier, make sure everyone using it that you manage is aware that they still have to pay attention to URL links sent to them to make sure they are legitimate. This may sound like common sense, but you'd be surprised how many end-users think that their MFA solution explicitly protects them against rogue phishing links, and that belief can be dangerous.


Request a PhishER Demo and Get Your Free 'Gone Phishin' Hat!

Phishing is still the No. 1 attack vector. Your users are exposed to malicious email daily. They can now report those to your Incident Response (IR) team. But how to best manage your user-reported messages?

Here is what the CIO of a 500-million-dollar financial services company said:

"An excellent, cost-effective way to handle phishing. We rely on PhishER heavily to detect, investigate, and remove phishing emails efficiently and effectively. It's an excellent tool for our SOC team members. The automation has been a life saver."

Find out how to cut through your IR-inbox noise and respond to the most dangerous threats more quickly and efficiently. See how you can meet critical SLAs within your organization to process and prioritize threats and legitimate emails.

To learn how, get your 30-minute demo of PhishER, the world's most popular Security Orchestration, Automation and Response (SOAR) platform. In this live one-on-one demo, we will show you how easy it is to identify and respond to email threats faster:

  • Cut through your Incident Response inbox noise and respond to the most dangerous threats much faster. Save hundreds of hours.
  • See how PhishML™ works, machine-learning that analyzes every message ingested into PhishER and makes your "Clean, Spam or Threat" prioritization process easier, faster, and more accurate
  • Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace.
  • NEW! Automatically flip malicious spear-phishing attacks into safe simulated phishing campaigns with PhishFlip.
  • Easy deployment of the Phish Alert Button into your user's email client or forwarding to a mailbox works too!

See for yourself how PhishER can help you identify and respond to email threats faster.


Offer expires September 30th.

To be entered into the Free Draw: US or Canada residents only (excluding Quebec). One gift per entrant. Free Draw date: 9/30/2022. Sorry, students and professors are not eligible to win. Terms and Conditions apply.

[KREBS ON SECURITY] How 1-Time Passcodes Became a Corporate Liability

Phishers are enjoying remarkable success using text messages to steal remote access credentials and one-time passcodes from employees at some of the world’s largest technology companies and customer support firms.

A recent spate of SMS phishing attacks from one cybercriminal group has spawned a flurry of breach disclosures from affected companies, which are all struggling to combat the same lingering security threat: The ability of scammers to interact directly with employees through their mobile devices.

In mid-June 2022, a flood of SMS phishing messages began targeting employees at commercial staffing firms that provide customer support and outsourcing to thousands of companies. The missives asked users to click a link and log in at a phishing page that mimicked their employer's Okta authentication page.

Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication.

The phishers behind this scheme used newly registered domains that often included the name of the target company and sent text messages urging employees to click on links to these domains to view information about a pending change in their work schedule.

The phishing sites leveraged a Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website. But because of the way the bot was configured, it was possible for security researchers to capture the information being sent by victims to the public Telegram server.

This data trove was first reported by security researchers at Singapore-based Group-IB, which dubbed the campaign "0ktapus" for the attackers targeting organizations using identity management tools from

"This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations," Group-IB wrote. "Furthermore, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance."

It's not clear how many of these phishing text messages were sent out, but the Telegram bot data reviewed by KrebsOnSecurity shows they generated nearly 10,000 replies over approximately two months of sporadic SMS phishing attacks targeting more than a hundred companies.

A great many responses came from those who were apparently wise to the scheme, as evidenced by the hundreds of hostile replies that included profanity or insults aimed at the phishers: The very first reply recorded in the Telegram bot data came from one such employee, who responded with the username "havefuninjail."

Still, thousands replied with what appear to be legitimate credentials — many of them including one-time codes needed for multi-factor authentication. On July 20, the attackers turned their sights on internet infrastructure giant, and the intercepted credentials show at least five employees fell for the scam (although only two employees also provided the crucial one-time MFA code).


[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Thursday, September 8 @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Support for QR-code phishing tests
  • NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
  • NEW! AI-Driven phishing and training recommendations for your end users
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW Thursday, September 8 @ 2:00 PM (ET)

Save My Spot!

Combatting Rogue URL Tricks: Quickly Identify and Investigate the Latest Phishing Attacks

Everyone knows you shouldn't click phishy links. But are your end users prepared to quickly identify the trickiest tactics bad actors use before it's too late? Probably not.

Cybercriminals have moved beyond simple bait and switch domains. They're now employing a variety of advanced social engineering techniques, like sneaky rogue URLs, to entice your users into clicking and putting your network at risk.

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, for this webinar as he shows you how to become an expert phish finder. He'll dive deep into the latest techniques and defenses to share:

  • Real-life examples of advanced attacks using rogue digital certificates, homograph attacks and more
  • Safe forensic methods for examining URLs and other tactics for investigating phishy emails
  • Strategies for dissecting URLs on mobile without clicking
  • Simple ways you can train your users to scrutinize URLs and keep your network safe

Find out what you need to know to keep your network protected and safe from the latest phishing attacks and earn CPE for attending!

Date/Time: September 14 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!

Phishing Attacks Leveraging Legitimate SaaS Platforms Soar 1100%

As threat actors look for ways to evade detection by security solutions, the use of cloud applications has seen a material jump in the last 12 months, according to new data.

While we see plenty of cyberattacks that utilize dark infrastructure to accomplish their malicious activities, more and more we're seeing a trend where threat actors are taking advantage of web-based application platforms to utilize their legitimacy to ensure phishing email delivery all the way to the Inbox.

In the latest report from Palo Alto Network's Unit42, "Legitimate SaaS Platforms Being Used to Host Phishing Attacks", we find that the increases are far greater than expected. According to the report, the following types of SaaS platforms were included in their analysis of phishing URLS:

Blog post with grid, breakout and soaring statistic here:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Interesting article. "What is Web3? How a decentralized internet could upend the digital economy":

PPS: Check out the brand-new datasheet for the Compliance Plus 300+ item courseware library [PDF]:

Quotes of the Week  
"Knowledge is not power, it is only potential. Applying that knowledge is power. Understanding why and when to apply that knowledge is wisdom."
- Takeda Shingen - Daimyo (Japanese Lord) (1521 - 1573)

"Risk comes from not knowing what you're doing."
- Warren Buffett

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Instagram Phishing: Scammers Exploit Instagram Verification Program

Researchers at Vade warn that an email phishing campaign is informing users that their Instagram account is eligible to receive a blue verification badge. If a user clicks the link, they'll be taken to a spoofed Instagram login page designed to steal their credentials.

"First discovered by Vade in late July, the scam exploits Instagram's highly sought-after verification program to dupe victims into divulging personal information and account credentials," the researchers write. "The malicious attack targets specific users of the social media platform, showing more sophistication than other phishing campaigns that pursue victims indiscriminately."

The emails impersonate Instagram, and are tailored to each target. The phishing page URL is "teamcorrectionbadges[DOT]com."

"The phishing email uses the subject line, 'ig bluebadge info' and the name, 'ig-badges,'" the researchers write. "The body text explains that the victim's Instagram profile has been reviewed and deemed eligible for verification.

"The Instagram and Facebook logos at the header and footer of the email attempt to create an air of legitimacy, as does the use of the victim’s actual Instagram handle, showing the hackers researched their target before the attack."  The researchers note that observant users could recognize some discrepancies and signs of social engineering in the email.


84% of Americans Have Experienced Some Form of Social Engineering

Researchers at NordVPN have published the results of a survey that found that 84% of Americans have experienced some form of social engineering, although only 54% have heard of the term "social engineering." 85% percent of the respondents said they were aware of the term "phishing," and 36% said they had fallen victim to a phishing email.

The researchers found that phishing emails are the most common form of social engineering attacks, followed by text message phishing (smishing) and voice phishing (vishing):

  • 48% – Suspicious emails with links and attachments and/or asking for their personal information
  • 39% – Suspicious texts with links and attachments and/or asking for their personal information
  • 37% – Pop-up advertisements that were difficult to close
  • 37% – Suspicious email(s) containing links, attachments or asking them to reply and divulge work/business information
  • 32% – Suspicious email(s) from someone posing as an important personal who was asking them to wire them funds
  • 27% – Suspicious voicemail(s) asking the recipient to divulge personal information
  • 26% – A virus on their computer or phone
  • 19% – Malware on their device that redirected them to a fake version of a website

ordVPN offers the following advice to help users recognize these types of attacks.

"The point of a social engineered attack is to get you to follow a link or sign up to something," the researchers write. "The best way to recognize a socially engineered attack is to analyze the language of the message.

"Is the language desperate? Does the message imply there's a time limit to whatever request it's asking for? Does the message sound urgent? Remember that most banks will never text you and ask for your login credentials. In fact, any text message or email you receive that requests any kind of login details is probably best suited for the trash bin."

Blog post with links:

What KnowBe4 Customers Say

"Hi Stu, Thanks for checking in on us. Our initial training program is in progress, ready to end this Friday. Our staff have been positive about the content and appear to be completing the training without a lot of prodding from me.

"My CEO stopped by yesterday to let me know that he appreciated the training and, as luck would have it, use the PAB to report 3 phishing messages. I would also like to say that I really appreciate Jacob D., who has made the onboarding experience really easy. His help, and the excellent documentation from KnowBe4 have made getting up and running a great experience."

- L.B., Director of IT

"Hi Stu, Thanks for checking in. We are VERY happy. The Customer Success Manager, Nick W., that we've been working with is fantastic, helpful and personable. The ASAP tool is outstanding! We've onboarded with many different platforms from Adobe to Zoom, and KnowBe4's ASAP tool has made this process so easy and clear. I cannot say enough good things."

- T.B., IT Operations Manager

The 10 Interesting News Items This Week
  1. [Insurance] Who Pays for an Act of Cyberwar? Could be nobody:

  2. Turkish malware used to infect machines in 11 countries through fake Google Translate links:

  3. Hackers hide malware in James Webb telescope images:

  4. Suspected Russian Ransomware Group Hacks Italian Energy Agency:

  5. How Are Ransomware Groups' Shakedown Tactics Evolving?:

  6. CISA, NSA and npm Release Software Supply Chain Guidance:

  7. Trend Micro Warns of 75% Surge in Ransomware Attacks on Linux as Systems Adoptions Soared:

  8. Why the Twilio Breach Cuts So Deep:

  9. Detecting Scatter Swine: Insights into a relentless phishing campaign:

  10. Experts warn of the first known phishing attack against PyPI:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Free Phishing Security Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews