CyberheistNews Vol 12 #49 [Keep An Eye Out] Beware of New Holiday Gift Card Scams

CyberheistNews Vol 12 #49 | December 6th, 2022

[Keep An Eye Out] Beware of New Holiday Gift Card Scams Stu Sjouwerman SACP

By Roger A. Grimes

Every holiday season brings on an increase in gift card scams. Most people love to buy and use gift cards. They are convenient, easy to buy, easy to use, easy to gift, usually allow the receiver to pick just what they want, and are often received as a reward for doing something.

The gift card market is estimated in the many hundreds of BILLIONS of dollars. Who doesn't like to get a free gift card? Unfortunately, scammers often use gift cards as a way to steal value from their victims. There are dozens of ways gift cards can be used by scammers to steal money.

Roger covers these three scams in a short [VIDEO] and in detail on the KnowBe4 blog:

You Need to Pay a Bill Using Gift Cards
Maliciously Modified Gift Cards in Stores
Phish You for Information to Supposedly Get a Gift Card

Blog post with 2:13 [VIDEO] and links you can share with your users and family:
https://blog.knowbe4.com/beware-of-holiday-gift-card-scams

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, December 7 @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

NEW! KnowBe4 Mobile Learner App - Users Can Now Train Anytime, Anywhere!
NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
NEW! AI-Driven phishing and training recommendations for your end users
Did You Know? You can upload your own training video and SCORM modules into your account for home workers
Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, December 7 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3947028/0273119CCBF116DBE42DF81F151FF99F?partnerref=CHN3

Your KnowBe4 Fresh Content Updates from November 2022

November adds a wealth of new features you need to know about:

The new (no-charge) Holiday Resource Kit is available. Tell your friends.
We announced the brand-new mobile learner app. Learn anytime, anywhere!
A ton of new modules, translations, newsletters, posters and games

And... Do you use push-based multi-factor authentication (MFA)? Cybercriminals are aware that most people don't know how easily push-based MFA can be abused. Push notification abuse focuses on a potential victim's frustration, impatience and confusion with push-based MFA to gain access to their account.

In this Mobile-First module, your users will learn what push notification abuse is, how these attacks work, and learn tips on how to respond to a push notification attack.

Blog post with links:
https://blog.knowbe4.com/your-knowbe4-fresh-content-updates-from-november-2022

[New Feature] See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us TOMORROW, Wednesday, December 7 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at brand new Jira integration features we've added to make managing your compliance projects even easier!

NEW! Jira integration enables you to sync risk and compliance data between Jira and KCM - no more copying and pasting tasks!
Vet, manage and monitor your third-party vendors' security risk requirements
Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
Dashboards with automated reminders to quickly see what tasks have been completed, not met and are past due

Date/Time: Wednesday, December 7 @ 1:00 PM (ET)

Save My Spot!
https://www.knowbe4.com/kcm-demo-december-2022?partnerref=CHN3

Spoofing-as-a-Service Site Taken Down

Law enforcement authorities across Europe, Australia, the United States, Ukraine and Canada have taken down a popular website used by cybercriminals to impersonate major corporations in voice phishing (vishing) attacks. The website, called "iSpoof," allowed scammers to pay for spoofed phone numbers so they could appear to be calling from legitimate organizations.

According to Europol, which coordinated the operation, users of the website are believed to have scammed victims around the world out of more than 115 million Euro (approximately 120 million U.S. dollars).

"The services of the website allowed those who sign up and pay for the service to anonymously make spoofed calls, send recorded messages, and intercept one-time passwords," Europol says. "The users were able to impersonate an infinite number of entities (such as banks, retail companies and government institutions) for financial gain and substantial losses to victims. The investigations showed that the website has earned over EUR 3.7 million in 16 months."

As a result of the operation, 142 users and administrators of the site were arrested in November. More than 100 of these, including iSpoof's main administrator, were arrested in the U.K. London's Metropolitan Police Commissioner Sir Mark Rowley stated that online fraud should be a major priority for law enforcement.

"The exploitation of technology by organised criminals is one of the greatest challenges for law enforcement in the 21st century," Rowley said. "Together with the support of partners across U.K. policing and internationally, we are reinventing the way fraud is investigated. The Met is targeting the criminals at the centre of these illicit webs that cause misery to thousands. By taking away the tools and systems that have enabled fraudsters to cheat innocent people at scale, this operation shows how we are determined to target corrupt individuals intent on exploiting often vulnerable people."

Blog post with links:
https://blog.knowbe4.com/spoofing-as-a-service-site-taken-down

Ransomware, Ransom-war and Ran-some-where: What We Can Learn When the Hackers Get Hacked

Ransomware strikes organizations almost every two seconds. Tales of bad actors doing their worst fill the InfoSec news cycle, but what happens when the hackers get hacked?

Last year, the Conti ransomware group got a taste of their own cyber-medicine when their playbook, chat sessions, and other critical information ended up on the dark web.

So what important lessons can we learn from a situation like this? How do these cybercriminal organizations operate? What are their business models? What is their level of experience? And most importantly, how can we avoid their tactics?

Join James McQuiggan, Security Awareness Advocate at KnowBe4, on December 14 at 2:00 PM ET for this informative webinar to learn about:

The tactics, techniques, and procedures used by various cybercriminal groups, including ransomware services
Understanding the modus operandi of these groups
How to spot these attacks, and why training your users is you best line of defense

Let their misfortune be your opportunity to flip the tables before you become a victim, and earn CPE credit for attending!

Date/Time: Wednesday, December 14 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!
https://info.knowbe4.com/ransomware-ransom-war?partnerref=CHN

[Budget Ammo] Cyber Insurers Turn Attention to Catastrophic Hacks

Some major cloud providers are being excluded from cyber insurance policies by carriers worried about the potential for major cyberattacks. Some insurers have started to exclude catastrophic nation-state attacks from cyber insurance policies, saying cyber is such a young class they can't confidently model the risk. Please forward this to your c-suite. It is important for budget reasons.

An ounce of security awareness training prevention is worth a pound of data breach cure:
https://www.wsj.com/articles/cyber-insurers-turn-attention-to-catastrophic-hacks-11669407185

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: CISA just released a new #StopRansomware Advisory. Check out the Top 3 Actions! (PDF):
https://www.cisa.gov/uscert/sites/default/files/publications/aa22-335a-stopransomware-cuba-ransomware.pdf

PPS: Inside NATO's efforts to plan for a future cyberwar:
https://www.politico.com/news/2022/12/03/nato-future-cyber-war-00072060

Quotes of the Week

"Love and compassion are necessities, not luxuries. Without them, humanity cannot survive."
- Dalai Lama (born 1935)

"Go confidently in the direction of your dreams. Live the life you have imagined."
- Henry David Thoreau - Author (1817 - 1862)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-49-keep-an-eye-out-beware-of-new-holiday-gift-card-scams

Security News

Quiet Quitting and Insider Risk

The phenomenon known as "quiet quitting," in which employees become disengaged from their work while formally remaining in their jobs, can lead to serious security risks, according to Tim Keary at VentureBeat.

Apathetic employees are more likely to make security mistakes, such as falling for social engineering attacks or reusing passwords. Particularly unhappy employees may also intentionally harm the organization by leaking data.

Jeff Pollard, VP Principal Analyst at Forrester, stated, "It's important to be aware of quiet quitting, so a quiet quitter doesn't become a loud leaker. Leading indicators for quiet quitting include an individual becoming more withdrawn [or] becoming apathetic towards their work.

"If those feelings simmer long enough, they turn into anger and resentment, and those emotions are the dangerous leading indicators of insider risk activity like data leaks and/or sabotage." Jon France, CISO of (ISC)2, stated that the spike in remote work due to the pandemic has increased this risk.

"While quiet quitting is a relatively new term, it describes an age-old problem — workforce disengagement," France said. "The difference this time around is that in a remote work environment, the signs may be a little harder to spot. To prevent employees from quiet quitting, it is important for CISOs and security leaders to ensure and promote connection and team culture."

Keary concludes that organizations can mitigate these risks by following security best practices. "One of the simplest solutions is to implement the principle of least privilege, ensuring that employees only have access to the data and resources they need to perform their function," Keary says.

"This means if an unauthorized user does gain access to the account or they attempt to leak information themselves, the exposure to the organization is limited. Another approach is for organizations to offer security awareness training to teach employees security-conscious behaviors, such as selecting a strong password and educating them on how to identify phishing scams. This can help to reduce the chance of credential theft and account takeover attempts."

New-school security awareness training gives your organization an essential layer of defense by teaching your employees to recognize social engineering attacks.

Blog post with links:
https://blog.knowbe4.com/quiet-quitting-can-potentially-lead-to-insider-security-risks

There's No Such Thing as a Free Yeti

It's easy to think of the typical online holiday scam as something that affects mostly individuals. Sad, maybe, and unfortunate, but not something that might seriously threaten a business, or another organization.

For example, a lot of scams are circulating that offer the marks a free Yeti cooler, or some other attractive bauble, like a Samsung Smart TV, or a snazzy Dutch oven by Le Creuset.  All you have to do is enter your credit card to cover shipping and handling–fair enough, right? Because after all you're going to get a swell Yeti. Of course, there is no Yeti, but the scammers have got the marks' credit card information.

But there are lessons here in social engineering Vox's Recode explains, "Basically, these scammers are deploying lots of technical tricks to evade scanners and get through spam filters behind the scenes. Those include (but aren't limited to) routing traffic through a mix of legitimate services, like Amazon Web Services, which is the URL several of the scam emails I've received appear to link out to.

"And, [security researcher Zach] Edwards said, bad actors can identify and block the IP addresses of known scam and spam detection tools, which also helps them bypass those tools."

There's also more use of domain hop architecture in spam, helping the scammers hide their tracks and evade security tools. That's not all. Recode goes on to report that, "Akamai said this year's campaign also included a novel use of fragment identifiers. You'll see those as a series of letters and numbers after a hash mark in a URL.

"They're typically used to send readers to a specific section of a website, but scammers were using them to instead send victims to completely different websites entirely. And some scam detection services don't or can't scan fragment identifiers, which helps them evade detection, according to Katz.

"That said, Google told Recode that this particular method alone was not enough to bypass its spam filters." The upshot of the greater sophistication email spam now exhibits is that the social engineers are working to bypass the technical protections organizations have in place. As is so often the case, the individual user is the last line of defense, and a well-informed, properly skeptical user is to some extent armored against attempts like this.

The email might look as if it came from a legitimate sender, the offer might be attractive, but new-school security awareness training can help your people understand that, really, there's no such thing as a free Yeti.

Vox has the story:
https://www.vox.com/recode/2022/11/25/23473947/scam-phishing-yeti-cooler-kohls-emails

What KnowBe4 Customers Say

"I was an attendee at the ITWC sponsored webinar regarding email hacks yesterday – amazing presentation by the way – and am wondering if you would be willing to share your slide deck. I feel that the rest of my team and our organization would benefit greatly from the content. Coincidentally, we are already a KnowBe4 customer and am delighted to tell you that we are finding your services profoundly valuable. Thank you for your time and for sharing your insights and experience with us."

- T.B., Sr. Technology Support Specialist

The 10 Interesting News Items This Week