CyberheistNews Vol 13 #08 [Heads Up] Reddit Is the Latest Victim of a Spear Phishing Attack Resulting in a Data Breach



Cyberheist News

CyberheistNews Vol 13 #08  |   February 21st, 2023

[Heads Up] Reddit Is the Latest Victim of a Spear Phishing Attack Resulting in a Data BreachStu Sjouwerman SACP

There is a lot to learn from Reddit's recent data breach, which was the result of an employee falling for a "sophisticated and highly-targeted" spear phishing attack.

I spend a lot of time talking about phishing attacks and the specifics that closely surround that pivotal action taken by the user once they are duped into believing the phishing email was legitimate.

However, there are additional details about the attack we can analyze to see what kind of access the attacker was able to garner from this attack. But first, here are the basics:

According to Reddit, an attacker set up a website that impersonated the company's intranet gateway, then sent targeted phishing emails to Reddit employees. The site was designed to steal credentials and two-factor authentication tokens.

There are only a few details from the breach, but the notification does mention that the threat actor was able to access "some internal docs, code, as well as some internal dashboards and business systems."

Since the notice does imply that only a single employee fell victim, we have to make a few assumptions about this attack:

  • The attacker had some knowledge of Reddit's internal workings – The fact that the attacker can spoof an intranet gateway shows they had some familiarity with the gateway's look and feel, and its use by Reddit employees.
  • The targeting of victims was limited to users with specific desired access – Given the knowledge about the intranet, it's reasonable to believe that the attacker(s) targeted users with specific roles within Reddit. From the use of the term "code," I'm going to assume the target was developers or someone on the product side of Reddit.
  • The attacker may have been an initial access broker – Despite the access gained that Reddit is making out to be not a big deal, they do also mention that no production systems were accessed. This makes me believe that this attack may have been focused on gaining a foothold within Reddit versus penetrating more sensitive systems and data.

There are also a few takeaways from this attack that you can learn from:

  • 2FA is an important security measure – Despite the fact that the threat actor collected and (I'm guessing) passed the credentials and 2FA details onto the legitimate Intranet gateway—a classic man-in-the middle attack—it's far better to have MFA in place than to have no additional authentication factors in place.
  • Employees play a role in organizational cybersecurity – Reddit mentions that "soon after being phished, the affected employee self-reported, and the security team responded quickly, removing the infiltrator's access and commencing an internal investigation."

Users that are aware of how important they are in keeping the organization secure – something taught through continual security awareness training – can truly make the difference. With so many attacks involving threat actors lying undetected for literally months, it's refreshing to hear about an attack where the threat actor was cut off quickly by the swift thinking of a user who knew exactly what to do once they realized they had been tricked.

Blog post with links:
https://blog.knowbe4.com/reddit-spear-phishing-attack-data-breach

Are Your Users Making Risky Security Mistakes? Deliver Real-Time Coaching in Response to Risky User Behavior with SecurityCoach

Do you need an easy, automated way to provide real-time feedback the moment your users make risky mistakes to help reinforce the training campaigns you manage today?

SecurityCoach is a new offering from KnowBe4 designed to help you develop a strong security culture by enabling real-time security coaching of your users in response to their risky security behavior.

Based on alerts generated by your existing security stack products, SecurityCoach analyzes and identifies detected threat events to send your users a contextual, real-time SecurityTip at the moment risky behavior occurs.

Join us TOMORROW, Wednesday, February 22, @ 2:00 PM (ET) for a demonstration of how SecurityCoach enables real-time security coaching of your users in response to risky security behavior.

What SecurityCoach Means for You:

  • Coach users in real-time based on their own real-world behavior, reinforcing comprehension and retention of your security training, best practices, and established security policies
  • Build custom campaigns for high-risk users or roles that are considered a valuable target for cybercriminals
  • Measure and report on improved real-world security behavior across your organization, providing justification for continued investment
  • Reduce the burden on the SOC and improve efficacy through automation and reducing alert noise caused by users repeating risky security behaviors
  • Gain additional value from your existing security stack by integrating with common security products and services

See how SecurityCoach can help you to develop a strong security culture by enabling real-time security coaching of your users in response to their risky security behavior.

Date/Time: TOMORROW, Wednesday, February 22, @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/4117873/342D6A8F51B1C1D7CF96908518CB0F28?partnerref=CHN2

[NEW INFOGRAPHIC] 9 Cognitive Biases Hackers Exploit the Most

Cybersecurity is not just a technological challenge, but increasingly a social and behavioral one. People, no matter their tech savviness, are often duped by social engineering scams, like CEO fraud, because of their familiarity and immediacy factors.

Bad actors have the know-how to tap into the "mental shortcuts" that are called cognitive biases and manipulate employees into compromising sensitive information or systems.

Check out this infographic, with examples of the top cognitive biases hackers use the most. Download and send it to your users. No registration required:

Blog post with INFOGRAPHIC [PDF]:
https://blog.knowbe4.com/infographic-9-cognitive-biases-hackers-exploit

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, March 1, @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! KnowBe4 Mobile Learner App - Users can now train anytime, anywhere!
  • NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
  • NEW! AI-Driven phishing and training recommendations for your end users
  • Did You Know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, March 1, @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/4071002/7E395D890FBBCB1799D5F307169660D1?partnerref=CHN

[HEADS UP] Russian Hacker Group Launches New Spear Phishing Campaign with Targets in U.S. and Europe

The Russian-based hacking group Seaborgium is at it again with increased spear phishing attacks targeting U.S. and European countries in the last year.

Last month, I wrote about Seaborgium launching a phishing campaign with targets in the U.K. Now these threat actors have taken one step further with fake personas, social media accounts, and academic papers to lure their victims into replying to their phishing emails.

They have also widened their net to multiple regions across the globe with a new focus on the U.S. and additional regions within Europe. Each successful attack means the threat actor is able to refine their fake profiles to be more convincing and lure future victims.

Journalists are also becoming a target for multiple Russian hacking groups. Since journalists hold sensitive information, it could serve as high value to execute cyber espionage for the Russian state-sponsored groups.

While spear phishing campaigns continue to increase in sophistication, the root cause stems from social engineering. Whether it was specific language in the email or a convincing fake profile, threat actors are refining commonly used social engineering tactics to ensure your users fall victim to their attack.

Thankfully, there are ways to identify if your organization is being targeted. We have several tips for preventing a spear phishing attack from targeting your users:

  • First of all, you need all your defense-in-depth layers in place. Defending against attacks like this is a multi-layer approach. The trick is to make it as hard as possible for the attacker to get through and to not rely on any single security measure to keep your organization safe.
  • Regularly scan the Internet for exposed email addresses and/or credentials, you would not be the first one to find one of your user's username and password on a crime or porn site. Try out the free email exposure check. See link below.
  • Never send out sensitive personal information via email. Be wary if you get an email asking you for this info and when in doubt, double-check with the source using another communication channel.
  • Enlighten your users about the dangers of oversharing their personal information on social media sites. The more cybercriminals know, the more convincing they can be when crafting spear phishing emails.

Users are your last line of defense. They need to be trained using new-school security awareness training and receive frequent simulated phishing tests to keep them on their toes with security top of mind. We provide the world' s largest content library of security awareness training combined with best in class phishing testing. Since 91% of successful attacks use spear phishing to get in, this will get you by far the highest ROI for your security budget, with visible proof the training works!

Blog post with links:
https://blog.knowbe4.com/heads-up-russian-hacker-group-launches-new-spear-phishing-campaign-with-targets-to-us-and-europe

'The Inside Man' Season 5 Premiere in London Is Almost Sold Out!

There's still time to save your seat for the world premiere of the award-winning "The Inside Man" season 5 on March 23 in Leicester Square, London.

Time: 6 p.m. Pre-show Reception; 7 p.m. Premiere
Location: Odeon Luxe Leicester Square
22-24 Leicester Square
London

Season 5 of "The Inside Man" promises to be the most exciting and dramatic season yet - you don't want to miss it! After walking the red carpet, you'll have the opportunity to rub elbows with the stars of the show during our pre-show reception. Then, grab some popcorn, kick back and relax while you enjoy all of Season 5 in one sitting. You'll even leave with an attendees-only VIP pass for your collection!

We are almost out of seats for this free event, so register now!

Register Now:
https://knowbe4.cventevents.com/qrQLBV?RefId=chnfeb20

Be a Certified Security Awareness and Culture Professional (SACP)™

Your organization's cyber threat landscape is changing lightning fast. So, your security awareness skills need to stay razor sharp, and are increasingly viewed as critical to protect your organization from human error.

You can now be a leader in the security awareness and culture profession. Earn H Layer's Security Awareness and Culture Professional (SACP)™ credential and demonstrate your competency to design and lead security awareness programs that build a sustained security-awareness culture.

Your Security Awareness and Culture Professional (SACP)™ credential is the only independent, vendor-neutral certification designed specifically for the newest in-demand job roles in security awareness.

Learn more about the SACP exam. Check out the requirements. Don't wait. Apply today and become one of the first 1,000 professionals to earn your SACP Cert.
https://www.thehlayer.com/about-exam/


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [BUDGET AMMO] Why Secure Email Gateways Fall Short (Yours Truly at SecurityBoulevard):
https://securityboulevard.com/2023/02/why-secure-email-gateways-fall-short/

PPS: The Four Most Intriguing Cyberattacks of 2022 (Yours Truly at FastCompany):
https://www.fastcompany.com/90848823/the-four-most-intriguing-cyberattacks-of-2022

Quotes of the Week  
"Time is really the only capital that any human being has, and the only thing he can't afford to lose."
- Thomas Edison

"The bad news is time flies. The good news is you're the pilot."
- Michael Altshuler

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-08-heads-up-reddit-is-the-latest-victim-of-a-spear-phishing-attack-resulting-in-a-data-breach

Security News

Cybercriminals Are Using Geotargeted Phishing to Target Victims

Attackers are abusing a legitimate service called "GeoTargetly" to launch localized phishing attacks, according to Jeremy Fuchs at Avanan. GeoTargetly is meant to be used by advertisers to display ads in countries' local languages. Avanan observed a phishing campaign that's using phishing emails to target multiple countries in South America.

"The original email is essentially about a local traffic ordinance–which may not be enough to get people to click," Fuchs explains. "However, the email itself is not what's interesting–what is interesting is the ability for hackers to customize their attacks by region, and to attack multiple users in multiple parts of the world at once."

Fuchs notes that the emails themselves are untargeted, and the attackers simply send out so many emails that some people are bound to fall for them.

"Spray-and-pray is a common technique of threat actors," Fuchs says. "The idea–throw a bunch of things at the wall and see what sticks. The name of the game is volume, and you're hoping for a few successful phishes here and there." In this case, however, the threat actors are using a new technique to make these campaigns somewhat more precise.

"[This attack] is a different kind of spray-and-pray," Fuchs writes. "It allows for the ability for hackers to target a large number of people at once, and ensure that it's relevant, and localized. It's spraying without the praying.

"Using the GeoTargetly redirect, a hacker can create a phishing link that redirects users in a certain region to a fake login page that looks identical to the original one. This personalization increases the chances of a user falling for the attack. The redirect is legitimate and the content would be relevant to their language and region. This has increased the likelihood of spray and pray are working, and would allow hackers to operate on a global nature seamlessly."

New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for social engineering attacks.

Blog post with links:
https://blog.knowbe4.com/geotargeted-phishing-attacks

U.K. Security Pros: 'Employees Are the Attack Surface'

A survey by Tanium has found that IT security professionals in the U.K. say that 64% of avoidable cyberattacks are due to human error, which usually involves falling for phishing attacks. More than half of the respondents said that loss of productivity would be their main concern following a cyberattack.

"The largest number of survey respondents (56 percent) speculate that ‘loss of productivity' would have the biggest post-breach impact, followed by ‘loss of clients and/or revenue' (52 percent)," the researchers say. "However, it's worth noting that these two answers have a mutual association – downtime.

"Following two years of pandemic disruption, organisations are naturally sensitive to anything that interferes with business as usual." The survey also found that the majority of respondents believe that spending money on security defenses is cheaper than sustaining a cyberattack.

"Forward-thinking organisations will already be acting to pay down the technical debt of their legacy systems," the researchers write. "85% of security pros in our survey admit that ‘it costs more to recover from a cybersecurity incident than to prevent one.'"

Tanium concludes that organizations should invest in a defense-in-depth strategy that includes employee training.

"These statistics highlight that there is ample scope for cyber teams to make improvements in many areas that are under their influence and control," the researchers write. "As an illustration, almost half of the organisations surveyed (43 percent) said they intend to invest more in ‘employee awareness training.'

"This prevention-first approach is one way to reduce vulnerabilities that are often caused by human error or lack of education on cyber matters."

New-school security awareness training can give your organization an essential layer of defense by teaching your employees to recognize and thwart social engineering attacks.

CIO has the story:
https://www.cio.com/article/452793/attacks-targeting-employees-are-the-main-cause-of-avoidable-breaches.html

What KnowBe4 Customers Say

"Stu, Thank you for reaching out. I can tell that you have instilled an environment and culture of customer satisfaction across your organization. Your team's continual help in pushing the process forward and the fact that they take the initiative to reach out to me is greatly appreciated. My plate is usually full and this could very easily be pushed to the back burner if I didn't have their help."

- S.D., VP of Finance


"Thanks for reaching out. We are using your services for phishing campaigns and follow-up training campaigns. We really like your system and the content provided. Having a customer success manager - Jenn M. - has been an enormous help in getting us up to speed. She has been very helpful and informative. Most companies do not provide such personnel. Thank you for this. We plan to start training campaigns for all users and upload our own training videos (our vertical business) for future campaigns. Thanks for reaching out."

- D.S., IT


"Hello Mr. Sjouwerman, I'm sending this email to let you know that Emmy A., one of your employees, is excellent at doing her job. She is always friendly, professional, helpful and knowledgeable when we, my manager and I do working session with her.

"I can tell she is a people person and she truly enjoy her job and the services your company provides. We do business with many vendors, Emmy is by far my personal favorite customer service representative that we work with. Just wanted to let you know she does a great job of representing your company. Thank you."

- N.S., Systems Engineer, Information Technology

The 10 Interesting News Items This Week
  1. U.S. government launches 'strike force' to combat Chinese and Russian technology threats:
    https://cyberscoop.com/justice-department-commerce-strike-force-cfius-china-russia/

  2. AI-powered Bing Chat spills its secrets via prompt injection attack:
    https://arstechnica.com/information-technology/2023/02/ai-powered-bing-chat-spills-its-secrets-via-prompt-injection-attack/

  3. North Korean Hackers Are Attacking U.S. Hospitals:
    https://www.wired.com/story/north-korea-hacking-us-hospitals/?

  4. The language revolution: How LLMs could transform the world:
    https://venturebeat.com/ai/the-language-revolution-how-llms-could-transform-the-world/

  5. Why does the ‘Father of the internet' Vint Cerf tells investors to think before pouring money into A.I. bots?:
    https://fortune.com/2023/02/15/father-internet-vint-cerf-warns-investors-ai-bots-chatgpt-ethical-issue/

  6. [Ransomware in Paradise] Tonga is the latest Pacific Island nation hit with ransomware:
    https://therecord.media/tonga-is-the-latest-pacific-island-nation-hit-with-ransomware/

  7. Forbes Council Post: How To Protect Against AI-Based Email Security Threat Vector:
    https://www.forbes.com/sites/forbestechcouncil/2023/02/13/how-to-protect-against-ai-based-email-security-threat-vectors

  8. EU Organizations Warned of Chinese APT Attacks - SecurityWeek:
    https://www.securityweek.com/eu-organizations-warned-of-chinese-apt-attacks/

  9. Cybercriminal convicted of $90 million SEC earning reports hack:
    https://www.tripwire.com/state-of-security/cybercriminal-convicted-90-million-sec-earning-reports-hack

  10. Layoffs Could Hatch a New Generation of Data Thieves and Hackers:
    https://www.tanium.com/blog/layoffs-could-hatch-a-new-generation-of-data-thieves-and-hackers/

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews