CyberheistNews Vol 12 #44 | November 1st, 2022
[INFOGRAPHIC] KnowBe4 Top-Clicked Phishing Email Subjects for Q3 2022
KnowBe4's latest quarterly report on top-clicked phishing email subjects is here. We analyze "in the wild" attacks reported via our Phish Alert Button, top subjects globally clicked on in phishing tests, and top attack vector types.
Business-Related Phishing Attempts Still Trending
Business phishing emails have always been effective and continue to be successful because of their potential to affect a user’s workday and routine. This quarter's results reveal that 40% of email subjects are HR related, creating a sense of urgency in users to act quickly, sometimes before thinking logically and taking the time to question the email's legitimacy.
We also see that the top attack vector for this quarter is phishing links in the body of an email. These combined tactics can have destructive outcomes for organizations and lead to a multitude of cyberattacks such as ransomware and business email compromise.
My Take...
As phishing emails evolve and become more sophisticated, it is imperative that organizations prioritize security awareness training for all employees, now more than ever. Phishing emails that disguise themselves as internal communications are especially concerning since they are sure to grab the attention of users and typically incite action.
New-school security awareness training for employees helps combat phishing and malicious emails by educating users on what to look out for. It is the key to creating a healthy level of skepticism to better protect an organization and build a stronger security culture.
Q3 2022 Top-Clicked Phishing Emails
In Q3 2022, we examined "in-the-wild" email subject lines that show actual emails users received and reported to their IT departments as suspicious. We also reviewed tens of thousands of email subject lines and categories from simulated phishing tests, and top attack vector types in both categories.
[CONTINUED] The list with results and an infographic you can download are on our blog:
https://blog.knowbe4.com/knowbe4-top-clicked-phishing-email-subjects-for-q3-2022-infographic
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, November 2 @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.
- NEW! KnowBe4 Mobile Learner App - Your Users Can Now Train Anytime, Anywhere!
- NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
- NEW! AI-Driven phishing and training recommendations for your end users
- Did You Know? You can upload your own SCORM training modules into your account for home workers
- Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes
Find out how 50,000+ organizations have mobilized their end-users as their human firewall.
Date/Time: TOMORROW, Wednesday, November 2 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/3947021/2F2FD9B91E67A4D9191D17466E31D0F3?partnerref=CHN2
[Eye Opener] Work in IT? You Get Attacked Much More Than Other Employees
We received an interesting email from Elevate Security you need to be aware of. Their recent research showed: "Social engineering attacks are growing more sophisticated every day, victimizing your workforce users and triggering security breaches. The worst part? Social engineering attacks are on the rise. And your IT engineers and developers are being attacked more often than other organizational departments."
July 2022, IT engineers were targeted 8x more often than non-engineers
They continued: "Since April 2022, social engineering attacks on IT engineers, on average, have increased 142% from 5.79 times per month to 8.25 times per month. In fact, in July 2022, IT engineers were targeted 8x more often than non-engineers. They published an infographic that illustrates this increased risk."
Elevate Security notes that although engineers are not inherently riskier than other workforce users, this increased frequency of attacks raises their likelihood of unintentionally triggering a security breach, regardless of their behavior.
They invited us to check out their infographic, The Rise of Social Engineering Attacks: An Overview of the State of Cybercrime to explore the state of cyber crime and social engineering attacks as they stand today, and they even mentioned Kevin Mitnick, our Chief Hacking Officer. Recommended.
Blog post with links:
https://blog.knowbe4.com/eye-opener-work-in-it-you-get-attacked-much-more-than-other-employees
[New Feature] See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.
Join us TOMORROW, Wednesday, November 2 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at brand new Jira integration features we've added to make managing your compliance projects even easier!
- NEW! Jira integration enables you to sync risk and compliance data between Jira and KCM - no more copying and pasting tasks!
- Vet, manage and monitor your third-party vendors' security risk requirements
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
- Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
- Dashboards with automated reminders to quickly see what tasks have been completed, not met and are past due
Date/Time: TOMORROW, Wednesday, November 2@ 1:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/3946861/3A90FBA37F51FD30E69A881264C94458?partnerref=CHN2
[APPLY TODAY] Security Awareness Training Eligible for 185 Million DHS Cybersecurity Grant Opportunity
The Department of Homeland Security (DHS) is providing $185 million of grant money this year to U.S. states and territories to bolster their cybersecurity defenses, which includes security awareness training. The program will provide one billion dollars over the next four years to help states and territories become more resilient to cyber threats.
The State and Local Cybersecurity Grant Program seeks to make targeted cybersecurity investments in state, local and tribal government agencies to improve the security of critical infrastructure and boost the resilience of the services these governments provide their communities.
The program ranks security awareness training as a priority for the cyber security posture of state and local governments. Such training is listed as one of four top objectives of the program.
The deadline for states to apply for grant funding this year is Nov. 15, 2022, at 5 p.m. ET
Local governments (counties, cities, etc.) cannot apply directly for funds and must work with their respective states' when/if their states receive funding. That said, the program requires states to pass along 80% of funds received to local governments, so this is definitely something for local governments to keep an eye on.
The DHS will make funding selections no later than Nov. 30, 2022, and states will be notified no later than Dec. 31.
More about the grant application requirements at the KnowBe4 blog:
https://blog.knowbe4.com/apply-today-security-awareness-training-eligible-for-185-million-dhs-cybersecurity-grant-opportunity
[Hacking Biometrics] If You Thought Your Fingerprints Were Safe, Think Again!
When you think of using biometric technology as part of your multi-factor authentication process, you assume these attributes are safe. Cybercriminals can't hack your fingerprints, can they? The answer may surprise you!
Biometric attributes aren't as safe as they once were. Cybercriminals are always coming up with new ways to get around safeguards, and biometric based hacks are on the rise.
Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, as he dives into how biometrics can work, how they can be used against you, and how you can best protect your organization.
In this session you'll learn:
- How biometric attributes are stored and used
- Why your digital fingerprint is not nearly unique as you think
- How cybercriminals steal biometric data and use it against you
- Attributes of strong biometric solutions
- Why training your users is your best, last line of defense
Get the information you need now to protect your network and earn CPE credit for attending!
Date/Time: Wednesday, November 9 @ 2:00 PM (ET)
Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.
Save My Spot!
https://info.knowbe4.com/hacking-biometrics?partnerref=CHN
Stolen Devices and Phishing
Researchers at Cyren describe a phishing attack that resulted from the theft of a stolen iPad. The iPad was stolen on a train in Switzerland, and briefly appeared on Apple's location services in Paris a few days later. The owner assumed the iPad was lost for good, but sent a message to the iPad with her phone number just in case.
More than six months later, the owner received a text message claiming to be from Apple Support, claiming that her iPad had been found. The message included a link to a spoofed iCloud website that asked for her Apple login details. Fortunately, she didn't fall victim to this attack.
Cyren's researchers then tied this attack to a sophisticated phishing kit designed to spoof multiple Apple services. The attacker receives the stolen data via a custom-made Telegram bot.
"A Telegram bot is useful for this purpose since it allows for easy broadcast via the cloud – in technical terms, a http API," the researchers write. "It's surprisingly easy to set up a Telegram bot for this purpose, the process can be done in about one minute. After creating a bot, you receive an authentication token.
"The authentication token allows you to control the bot and send messages. The reason that the attackers are using it is because Telegram has an HTTP-based interface which allows bot owners to send messages just using a HTTP request that includes the token of the bot, a chat id, and the message. This is all completely free of charge and the bot owner doesn't need their own separate server to handle the communication. It is also user friendly for the attacker as he conveniently receives the victim info in a telegram chat."
After stealing the credentials and logging into the victim's account, the phishing kit will automatically remove the linked iCloud account from the device. This allows the attacker to "reset the stolen devices and set them up as new devices so they can be sold."
Blog post with links:
https://blog.knowbe4.com/stolen-devices-and-phishing
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: Your KnowBe4 Fresh Content Updates from October 2022:
https://blog.knowbe4.com/knowbe4-fresh-content-updates-october-2022
PPS: [HACKING GOOGLE VIDEO] Five elite security teams. Six never-before-told stories. Go behind the scenes with the hacking teams at Google keeping more people safe online than anyone else in the world:
https://www.youtube.com/playlist?list=PL590L5WQmH8dsxxz7ooJAgmijwOz0lh2H
- Buddha
- David Hockney - Artist (*1937)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-44-infographic-knowbe4-top-clicked-phishing-email-subjects-for-q3-2022
Phishing for Student Email Accounts
University student accounts are being exploited for business email compromise. Researchers at Avanan have observed a rise in attacks that compromise legitimate college student accounts in order to carry out business email compromise (BEC) attacks.
"In this attack," the researchers say, "hackers are compromising student accounts to launch broader BEC and credential harvesting attacks. We've seen a generous uptick in threat actors compromising student accounts, and then using them to send out BEC and credential harvesting messages. In this case, this same compromised account sent out numerous messages to a variety of organizations. The university, based in Arizona, is not an Avanan customer, and it's not clear how the compromise began.
"Regardless, this represents an effective tactic by hackers. Compromising a student account can be done quite efficiently. From there, leveraging the legitimacy of that email account, it's easy to send out multiple of the same messages to a variety of targets. That makes this an effective way for hackers to send out a wide spectrum of messages with just one compromise."
The phishing emails sent from the accounts appear to be support messages informing the user that several emails are being held for review. The user is directed to click a link in order to view the blocked emails. Avanan notes that there are several red flags in the emails, "such as where the URL goes to and also the fact that a university account wouldn't be used to send support messages."
The goal of acquiring credentials to university email accounts, then, is to enable further phishing operations. Avanan suggests that the ultimate goal of the phishing would be business email compromise, a form of cybercrime based on social engineering that’s growing increasingly dangerous.
New school security awareness training, however, can afford any organization a measure of protection, both from the initial phishing and the subsequent BEC attempts.
Blog post with links:
https://blog.knowbe4.com/phishing-for-student-email-accounts
New From CISA: Cross-Sector Cybersecurity Performance Goals
In July 2021, President Biden signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. This memorandum required CISA, in coordination with the National Institute of Standards and Technology (NIST) and the interagency community, to develop baseline cybersecurity performance goals that are consistent across all critical infrastructure sectors.
These voluntary cross-sector Cybersecurity Performance Goals (CPGs) are intended to help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small- and medium-sized organizations kickstart their cybersecurity efforts.
Cybersecurity training within 10 days of onboarding
OF NOTE: Item 4.3 "At least annual trainings for all organizational employees and contractors that covers basic security concepts, such as phishing, business email compromise, basic operational security (OPSEC), password security, etc., as well as fostering an internal culture of security and cyber awareness. New employees receive initial cybersecurity training within 10 days of onboarding, and recurring training on at least an annual basis."
The simplest way to get new employees their mandatory security training in 10 days or less is to fully automate the process. KnowBe4 allows you to do that with Active Directory / SCIM integration and smart groups. Voilà!
Summary writeup from CISA:
https://www.cisa.gov/cpg?mod=djemCybersecruityPro&tpl=cy
And this is the full CISA report:
https://www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf
What KnowBe4 Customers Say
"Hello Stu, thank you for reaching out and assessing our experience with KnowBe4! We are efficiently utilizing KnowBe4's phishing and training services and have experienced tremendous feedback from our end-users!
"We have received such remarks as:
- "I actually really enjoyed the game! I kept the hacker right in his place and he didn't even get a chance to move because I never got a question wrong!"
- "I want to share that the training was very well received. I really enjoyed it and learned several new things that I would have never even thought of before! Thank you!"
"The physical ModStore resources (newsletters, posters, etc.) have also been a phenomenal addition to our curriculum as we have continued to provide modern, eye catching and informative content to our Cyber Security Awareness and Education bulletin board and the Cyber Security portion our regular newsletter.
"We continue to provide and expand KnowBe4's phishing and training programs, across all of our hospital with great results, thus far. Thank you and best regards."
- L.N., IT Network Administrator
- [RANSOMWARE WORM] Microsoft links Raspberry Robin worm to Clop ransomware attacks:
https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ - [RECOMMENDED ARTICLE] Everything You Ever Wanted to Know About Crypto:
https://www.bloomberg.com/features/2022-the-crypto-story - Ransomware is how half of attacks begin, and this is how you can stop them:
https://www.zdnet.com/article/ransomware-this-is-how-half-of-attacks-begin-and-this-is-how-you-can-stop-them/ - Massive Typosquat campaign mimics 27 brands to push Windows, Android malware:
https://www.bleepingcomputer.com/news/security/typosquat-campaign-mimics-27-brands-to-push-windows-android-malware/ - Interpol: "Criminals are starting to exploit the metaverse":
https://www.interpol.int/fr/Actualites-et-evenements/Actualites/2022/INTERPOL-launches-first-global-police-Metaverse - Microsoft working with CISA on assessment tool for cloud security configurations:
https://federalnewsnetwork.com/cybersecurity/2022/10/microsoft-working-with-cisa-on-assessment-tool-for-cloud-security-configurations/ - Ransomware Attackers Deploy New Data Exfiltration Tool called Exbyte:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware - LinkedIn Email Attack: Welcome to your ProPHISHional Community:
https://www.armorblox.com/blog/linkedin-email-attack/ - Report: Pro-China influence operation targeted U.S. midterms:
https://therecord.media/report-pro-china-influence-operation-targeted-u-s-midterms/ - Australia: "Tougher penalties for serious data breaches" after Medibank hack:
https://www.bleepingcomputer.com/news/security/medibank-now-says-hackers-accessed-all-its-customers-personal-data/
- Your Virtual Vaca to Indonesia by FPV Drone. A 5K Coffee Break:
https://www.youtube.com/watch?v=qTAK-NYFciA - The Lock Picking Lawyer - Lock Bumping… Possibly The Easiest Way In!:
https://www.youtube.com/watch?v=r3cuVPSySZw - Mellow proximity wingsuit flight at Scex Rouge:
https://www.youtube.com/watch?v=Vo6-nWLkXM8 - Skydivers Play on the ULTIMATE Mega Swing:
https://www.youtube.com/watch?v=JSTf79BJoxI - Cool demo of mechanical circuits: electronics without electricity:
https://boingboing.net/2022/10/27/cool-demo-of-mechanical-circuits-electronics-without-electricity.html - New "Super Intelligent" Robot Dog. Cute though:
https://www.youtube.com/watch?v=ECgSiBZtwpM - Lawyer-Magician Theron Christensen vs Penn and Teller:
https://www.flixxy.com/lawyer-magician-theron-christensen-vs-penn-and-teller.htm?utm_source=4 - The Most Dangerous Man in World History:
https://fee.org/articles/the-most-dangerous-man-in-the-world/ - Penn & Teller. You have to see this beautiful, enchanting, mind-blowing magic routine by Axel Adler:
https://www.flixxy.com/axel-adler-magic-with-3-legs.htm?utm_source=4 - This 270-Year-Old Scottish Building Has a High-Tech Secret:
https://www.youtube.com/watch?v=UZit06IOROA - Bugatti Chiron 0-834 km/h Acceleration on Autobahn. WHOA:
https://www.youtube.com/watch?v=Hm2iIRqqzBs - Puddles Pity Party Sings Powerful Cover of 'War Pigs' Black Sabbath Cover. Great vocals and a killer arrangement. Bravo!:
https://youtu.be/WT8t3i8CkMQ - For Da Kids #1 - Comedian' Bull Terrier Makes Mom Laugh and Breaks Stereotypes:
https://www.youtube.com/watch?v=HbOroZ2evi8 - For Da Kids #2 - Boy and His Baby Kangaroo Are Inseparable:
https://www.youtube.com/watch?v=v9-zEf3EbiA - For Da Kids #3 - Elephant Care Taker Play Peekaboo Game To Distract Elephant From Flood Issues:
https://www.youtube.com/watch?v=nB3563G6roI - For Da Kids #4 - Golden Makes Friends with His Neighbor On The Opposite Balcony:
https://www.youtube.com/watch?v=ibPUtebFSf8 - For Da Kids #5 - Lewis Hamilton on his love of remote-control cars & surprises kids from RC Vision:
https://www.youtube.com/watch?v=xZsPhVLHRL0