CyberheistNews Vol 12 #45 [EYE OPENER] Phishing Attacks Up 61% Over 2021. A Whopping 255 Million Attacks This Year So Far...

CyberheistNews Vol 12 #45 | November 8th, 2022

[EYE OPENER] Phishing Attacks Up 61% Over 2021. A Whopping 255 Million Attacks This Year So Far... Stu Sjouwerman SACP

Security Magazine wrote this week about the recent eye opening SlashNext State of Phishing report. "SlashNext analyzed billions of link-based URLs, attachments and natural language messages in email, mobile and browser channels over six months in 2022 and found more than 255 million attacks —a 61% increase in the rate of phishing attacks compared to 2021.

"The SlashNext State of Phishing Report for 2022 findings highlights that previous security strategies, including secure email gateways, firewalls, and proxy servers, are no longer stopping threats, especially as bad actors increasingly launch these attacks from trusted servers and business and personal messaging apps."

Key findings of the report include:

Cybercriminals are moving their attacks to mobile and personal communication channels to reach employees. SlashNext recorded a 50% increase in attacks on mobile devices, with scams and credential theft at the top of the list of payloads.
In 2022, they detected an 80% increase in threats from trusted services such as Microsoft, Amazon Web Services or Google, with nearly one-third (32%) of all threats now being hosted on trusted services
54% of all threats detected in 2022 were zero-hour threats, showing how hackers are shifting tactics in real-time to improve success
76% of threats were targeted spear phishing credential harvesting attacks
The top 3 attack sectors are Healthcare, Professional and Scientific Services, and Information Technology

Great budget ammo. Blog post with links:
https://blog.knowbe4.com/eye-opener-phishing-attacks-61-up-over-2021.-a-whopping-255-million-attacks-this-year-so-far

[Hacking Biometrics] If You Thought Your Fingerprints Were Safe, Think Again!

When you think of using biometric technology as part of your multi-factor authentication process, you assume these attributes are safe. Cybercriminals can't hack your fingerprints, can they? The answer may surprise you!

Cybercriminals are always coming up with new ways to get around safeguards, and biometric based hacks are on the rise.

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, as he dives into how biometrics can work, how they can be used against you, and how you can best protect your organization.

In this session you'll learn:

How biometric attributes are stored and used
Why your digital fingerprint is not nearly unique as you think
How cybercriminals steal biometric data and use it against you
Attributes of strong biometric solutions
Why training your users is your best, last line of defense

Get the information you need now to protect your network and earn CPE credit for attending!

Date/Time: TOMORROW, Wednesday, November 9 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!
https://info.knowbe4.com/hacking-biometrics?partnerref=CHN2

[Scam of The Week] New Phishing Email Exploits Twitter's Plan to Charge for Blue Checkmark

Michael Kan at PCMag had the scoop: A hacker is already circulating one phishing email, warning users they'll need to submit some personal information to keep the blue verified checkmark for free.

He wrote: "One hacker is already exploiting Twitter's reported plan to charge users for the verified blue checkmark by using it as a lure in phishing emails.

"On Monday, journalists at TechCrunch and NBC News received phishing emails that pretended to come from Twitter, and claimed they had to submit some personal information in order to keep the blue checkmarks on their Twitter accounts.

"'Don't lose your free Verified Status,' the phishing email says. Twitter itself has yet to officially announce any changes about the blue checkmark. Nevertheless, the phishing email tries to exploit the news by claiming that some verified users, particularly celebrities, will need to pay $19.99 per month after Nov. 2 to keep the status.

"The email then tries to create a sense of urgency. 'You need to give a short confirmation so that you are not affected by this situation,' it says. 'To receive the verification badge for free and permanently, please confirm that you are a well-known person. If you don't provide verification, you will pay $19.99 every month like other users to get the verification badge.'

"The email provides a button labeled 'Provide Information.' However, a closer look at the message reveals it was sent from a fictitious Gmail address, instead of an official Twitter domain—a clear red flag the message is a fake."

Step your users through new-school security awareness training before they fall for timely and smart social engineering attacks like this.

Blog post with links:
https://blog.knowbe4.com/scam-of-the-week-new-phishing-email-exploits-twitters-plan-to-charge-for-blue-checkmark

[New PhishER Feature] Turn the Tables on the Cybercriminals with PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately "flip" a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users' mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us Wednesday, November 16 @ 2:00 PM (ET) for a live 30-minute demonstration of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software. With PhishER you can:

NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user's inbox.
Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
Easy integration with KnowBe4's email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, November 16 @ 2:00 PM (ET)

Save My Spot!
https://info.knowbe4.com/phisher-demo-november-2022?partnerref=CHN

LinkedIn Phishing Attack Bypassed Email Filters Because It Passed Both SPF and DMARC Auth

Researchers at Armorblox have observed a phishing campaign impersonating LinkedIn. The emails inform the user that their LinkedIn account has been suspended due to suspicious activity.

"The subject of this email evoked a sense of urgency in the victims, with a subject reading, 'We noticed some unusual activity,' the researchers write. "At first glance, the sender looks to be LinkedIn, the global brand used for connecting with colleagues and individuals around the world.

"However, when looking closer it is clear that the sender name reads Linkedin (an improper spelling of the brand’s name) and the email address is not associated with LinkedIn. Upon further analysis, the Armorblox Threat Research team found the domain name is fleek[.]co, created March 6th of this year––in preparation for attackers to execute targeted email attacks such as this one."

The phishing emails and the phishing site convincingly spoofed LinkedIn's branding.

"The email looks like a notification from LinkedIn, notifying the end user about suspicious activity on his or her account," the researchers write. "The email included a LinkedIn logo at the top and bottom in order to instill trust in the recipient (victim) that the email communication was a legitimate business email notification from LinkedIn - instead of a targeted, socially engineered email attack.

Attack bypassed Google email security because it passed both SPF and DMARC auth

"The body of the email contains information about a sign in attempt: device used, date and time, and location; notifying the end user that this attempt has resulted in limited account access due to the potential fraudulent activity. The victim is prompted to 'Secure my account' to avoid the LinkedIn account from being closed."

Armorblox notes that the phishing messages were able to bypass email security filters. "The email attack bypassed native Google email security controls because it passed both SPF and DMARC email authentication checks," Armorblox says. "Attackers used a valid domain to send this malicious email, with the goal to bypass native email security layers and exfiltrate sensitive user credentials. Even though the sender domain received a reputation score of high risk, email security layers such as Google that rely on email authentication checks for legitimacy would not catch this targeted email attack."

Blog post with links:
https://blog.knowbe4.com/linkedin-phishing-attack-bypassed-email-filters-because-it-passed-both-spf-and-dmarc-auth

Do Users Put Your Organization at Risk With Browser-saved Passwords?

Cybercriminals are always looking for easy ways to hack into your network and steal your users' credentials.

Verizon's Data Breach Investigations Report shows that attackers are increasingly successful using a combo of phishing and malware to steal user credentials. In fact, Password Dumpers takes the top malware spot making it easy for cybercriminals to find and "dump" any passwords your users save in web browsers.

Find out now if browser-saved passwords are putting your organization at risk.

KnowBe4's Browser Password Inspector (BPI) is a complimentary IT security tool that allows you to analyze your organization's risk associated with weak, reused, and old passwords your users save in Chrome, Firefox, and Edge web browsers.

BPI checks the passwords found in the browser against active user accounts in your Active Directory. It also uses publicly available password databases to identify weak password threats and reports on affected accounts so you can take action immediately.

With Browser Password Inspector you can:

Search and identify any of your users that have browser-saved passwords across multiple machines and whether the same passwords are being used
Quickly isolate password security vulnerabilities in the browser and easily identify weak or high-risk passwords being used to access your organization’s key business systems
Better manage and strengthen your organization's password hygiene policies and security awareness training efforts

Get your results in a few minutes! They might make you feel like the first drop on a roller coaster!

Find Out Now:
https://info.knowbe4.com/browser-password-inspector-chn

I Have a Free Resource for You: The Security Culture Maturity Model

Do you know where your organization stands regarding its Security Culture Maturity?

The Security Culture Maturity Model is an evidence-driven framework for understanding and benchmarking the current security-related maturity of an organization, industry vertical, region, or any measurable group.

The data-driven and evidence-based Security Culture Maturity Model, developed by KnowBe4 Research, is the industry's first maturity model specifically geared to measure security culture. The model is fueled by KnowBe4's massive security awareness, behavior and culture dataset.

Security Culture is defined as the ideas, customs and social behaviors of a group that influence its security. Organizational leaders can use the model to visualize their current level of security culture and plan the steps required to progress from one level to another.

Download your no-charge Security Culture Maturity Model to explore:

The five levels of security culture maturity to help gauge where your organization stands
Details on how the model was built using KnowBe4's deep expertise into data modeling and analysis
The framework behind Culture Maturity Indicators (CMI), such as phishing test results and knowledge assessments, and how these data points flow into the model

[No Registration Required] Get your free PDF copy of the maturity model now:
https://www.knowbe4.com/security-culture-maturity-model

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS:[BUDGET AMMO] From yours truly in Forbes: Why Understanding Ransomware's Root Causes Can Help Protect Against The Evolving Threats:
https://www.forbes.com/sites/forbestechcouncil/2022/10/31/why-understanding-ransomwares-root-causes-can-help-protect-against-the-evolving-threats/

PPS:[WHITE HOUSE FACT SHEET]: The Second International Counter Ransomware Initiative Summit:
https://www.whitehouse.gov/briefing-room/statements-releases/2022/11/01/fact-sheet-the-second-international-counter-ransomware-initiative-summit/

Quotes of the Week

"Nobody can give you wiser advice than yourself."
- Marcus Tullius Cicero - Orator and Statesman (106 - 43 BC)

"I've experienced many terrible things in my life, a few of which actually happened."
- Mark Twain - American Writer (1835 - 1910)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-45-eye-opener-phishing-attacks-up-61-percent-over-2021-a-whopping-255-million-attacks-this-year-so-far

Security News

Phishing for Feds: Credential-Harvesting Attacks Rise 30% in New Study

A study by researchers at Lookout has found that credential-harvesting phishing attacks against U.S. government employees rose by 30% last year. The researchers also found that nearly 50% of U.S. government employees are running older, unpatched versions of iOS and Android operating systems.

"With more than one third of state and local government employees using their personal devices for work in 2021, these agencies are leading the government adoption of BYOD," the researchers write. "While this provides employees with greater flexibility, these unmanaged devices are more frequently exposed to phishing sites than managed devices. This is because personal unmanaged devices connect to a broader range of websites and use a greater variety of apps."

The researchers observed a significant increase in mobile phishing attacks attempting to steal credentials rather than trying to deliver malware.

"In 2021, almost 50% of all phishing attacks sought to steal credentials," Lookout says. "The proportion of credential theft attacks against federal agencies increased at a rate of nearly 47% from 2020 to 2021 while the proportion of malware delivery decreased by 12%. State and local departments experienced a similar trend with credential theft attacks increasing and malware decreasing gradually."

Lookout concludes that organizations need to ensure that their employees are aware of the threat posed by social engineering attacks against mobile devices.

"While mobile phishing attacks have become sophisticated, threat actors continue to reuse techniques enabling employees to recognize them once educated to do so," the researchers write. "This shows that ongoing phishing and cybersecurity education is essential to enable employees to spot social engineering attacks.

"Your mobile threat defense solution should contain in-app education so that employees are informed every time a threat on their device is detected. All government entities need to ensure that they evolve their phishing training beyond desktops and emails to include challenges related to mobile phishing."

New-school security awareness training can enable your employees to thwart evolving social engineering attacks.

Blog post with links:
https://blog.knowbe4.com/phishing-for-feds-credential-harvesting-attacks-found-in-new-study

Phishing Resistant MFA Does Not Mean Un-Phishable

Human societies have a bad habit of taking a specific, limited-in-scope fact and turning it into an overly broad generalization that gets incorrectly believed and perpetuated as if it were as comprehensively accurate as the original, more-limited fact it was based on.

Anything can be hacked. Do not confuse "phishing-resistant" with being impossible to phish or socially engineer.

You would be hard-pressed to find an organization that has provided more free content over the last few years about many of the common attacks against multi factor authentication (MFA) and how everyone needs to use "phishing-resistant" MFA, including here:

In fact, we built a whole web page around it: https://www.knowbe4.com/multi-factor-authentication

With the publishing of the CISA’s most recent memo touting phishing-resistant MFA, it seems that the message has now gone mainstream. That is a good thing. And everyone should implement phishing-resistant MFA where they can in order to protect valuable data and systems.

But it is important to know that phishing-resistant does not mean not phishable.

[CONTINUED] Blog post with links:
https://blog.knowbe4.com/phishing-resistant-does-not-mean-un-phishable

What KnowBe4 Customers Say

"Hello, please accept this note as a thank you and token of my appreciation for working with Julie. Julie has been the most responsive Customer Success agent I've worked with, across any vendor, for any purpose. She truly has been incredible, very informative, and always willing to partner. I don't think our program would have been successful without her. I hope this email makes it to the highest levels within your organization as you truly have a wonderful employee that puts clients first."

- P.T., Director/Head of Technology Operations

And here we have two brand-new PDF customer stories that I think you will like!