CyberheistNews Vol 13 #09 | February 28th, 2023
[Eye Opener] Should You Click on Unsubscribe?
By Roger A. Grimes.
Some common questions we get are "Should I click on an unwanted email's 'Unsubscribe' link? Will that lead to more or less unwanted email?"
The short answer is that, in general, it is OK to click on a legitimate vendor's unsubscribe link. But if you think the email is sketchy or coming from a source you would not want to validate your email address as valid and active, or are unsure, do not take the chance, skip the unsubscribe action.
In many countries, legitimate vendors are bound by law to offer (free) unsubscribe functionality and abide by a user's preferences. For example, in the U.S., the 2003 CAN-SPAM Act states that businesses must offer clear instructions on how the recipient can remove themselves from the involved mailing list and that request must be honored within 10 days.
Note: Many countries have laws similar to the CAN-SPAM Act, although with privacy protection ranging the privacy spectrum from very little to a lot more protection. The unsubscribe feature does not have to be a URL link, but it does have to be an "internet-based way." The most popular alternative method besides a URL link is an email address to use.
In some cases, there are specific instructions you have to follow, such as put "Unsubscribe" in the subject of the email. Other times you are expected to craft your own message. Luckily, most of the time simply sending any email to the listed unsubscribe email address is enough to remove your email address from the mailing list.
[CONTINUED] at the KnowBe4 blog:
https://blog.knowbe4.com/should-you-click-on-unsubscribe
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, March 1, @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.
- NEW! KnowBe4 Mobile Learner App - Users can now train anytime, anywhere!
- NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
- NEW! AI-Driven phishing and training recommendations for your end users
- Did You Know? You can upload your own SCORM training modules into your account for home workers
- Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes
Find out how 50,000+ organizations have mobilized their end-users as their human firewall.
Date/Time: TOMORROW, Wednesday, March 1, @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/4071002/7E395D890FBBCB1799D5F307169660D1?partnerref=CHN2
The Curse of Cybersecurity Knowledge
The curse of knowledge is a cognitive bias that occurs when someone is trying to communicate information to another person, but falsely assumes that the other person has the same level of knowledge or understanding of the topic.
This can lead to the communicator overestimating the other person's understanding of the subject, and thus not providing enough detail or explanation. As a result, the message may not be understood or interpreted correctly, leading to confusion and frustration.
In 1990, Elizabeth Newton earned a Ph.D. in psychology at Stanford by studying a simple game that was music to her ears. She assigned people to two roles: "tappers" or "listeners." Tappers received a list of 25 well-known songs, such as "Happy Birthday to You" and "The Star-Spangled Banner."
Each tapper was asked to pick a song and tap out the rhythm to a listener (by knocking on a table). The listener's job was to guess the song, based on the rhythm being tapped – kind of like a game of musical charades.
Before beginning, Newton asked the tappers to predict the odds that the listeners would guess correctly. They predicted that the odds were 50 percent. However, surprisingly, only 1 in 40 times was the listener able to guess, a mere 2.5%.
When a tapper taps, that person is basically playing a game of 'Name That Tune' in their head. Go ahead and give it a whirl – tap out "Happy Birthday." It is almost impossible not to hear the tune in your head. But unfortunately for the listeners, all they can hear is a bunch of seemingly random taps, like a strange version of Morse Code.
This caused much frustration among the tappers, who often said such phrases as, "Is the song not obvious?" "How can you be so stupid?"
Tappers have been blessed with knowledge, but cursed with the inability to understand what it is like to not know what they know. It is like they have the Curse of Knowledge – once they know something, it is hard to imagine what it was like before they knew it. This makes it difficult for them to share their knowledge with others, since they cannot easily put themselves in the shoes of their listeners. Ah, the woes of being a tapper!
I am sure you can see where I am going with this and how this is relevant to cybersecurity.
[CONTINUED] at the KnowBe4 blog:
https://blog.knowbe4.com/the-curse-of-cybersecurity-knowledge
A Master Class on Cybersecurity: Roger A. Grimes Teaches Data-Driven Defense
Even the world's most successful organizations have significant weaknesses in their cybersecurity defenses, which today's determined hackers can exploit at will. There's even a term for it: Assume Breach.
But assuming you'll be hacked isn't an option for you. Your organization can't afford a loss of assets or downtime. And nobody knows this more than Roger A. Grimes, Data-Driven Defense Evangelist at KnowBe4.
With 30+ years of experience as an IT security consultant, instructor, and award-winning author, Roger has dedicated his life to making sure you're prepared to defend against quickly-evolving cybersecurity threats. He wrote the book on it, literally – "A Data-Driven Computer Security Defense."
Join Roger A. Grimes for this thought-provoking webinar where he'll share the most common reasons for data breaches and a data-driven approach to determining your organization's specific weaknesses.
You'll walk away from this session understanding:
- What most organizations are doing wrong and how to fix it
- How to build an action plan to improve your cybersecurity effectiveness
- Why a strong human firewall is your best last line of defense
Start creating your data-driven defense plan today!
Date/Time: Wednesday, March 8, @ 1:00 PM (ET)
Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.
Save My Spot!
https://info.knowbe4.com/data-driven-defense-mc?partnerref=CHN
Coinbase Attack Used Social Engineering
Coinbase on their blog describes a targeted social engineering attack that led to the theft of some employee data. The attacker first sent smishing messages to several Coinbase employees, urging them to click a link and log in to their Coinbase work account. One employee fell for the attack, and the threat actor then attempted to use the victim's account to gain access to Coinbase's internal systems. Fortunately, the company's security solutions prevented this.
Soon afterwards, however, the attacker called the same employee, claiming to work for the company's IT department.
"About 20 minutes later our employee's mobile phone rang," Coinbase says. "The attacker claimed to be from Coinbase corporate Information Technology (IT) and they needed the employee's help. Believing that they were speaking to a legitimate Coinbase IT staff member, the employee logged into their workstation and began following the attacker's instructions. That began a back and forth between the attacker and an increasingly suspicious employee."
While the attacker was able to glean some employee information from the attack, Coinbase's security team detected suspicious behavior and alerted the targeted employee.
"As the conversation progressed, the requests got more and more suspicious," the company says. "Fortunately no funds were taken and no customer information was accessed or viewed, but some limited contact information for our employees was taken, specifically employee names, e-mail addresses, and some phone numbers."
Coinbase concludes that anyone can fall victim to a social engineering attack.
"Humans are social creatures," the company says. "We want to get along. We want to be part of the team. If you think you can't be fooled by a well executed social engineering campaign - you are kidding yourself. Under the right circumstances nearly anyone can be a victim.
"The most difficult attack of all to resist is a direct contact social engineering attack, like the one our employee suffered here. This is where the attacker directly contacts you via social media, your mobile phone, or even worse, walks up to your home or place of business.
"These attacks aren't new. In fact, these kinds of attacks have certainly been happening since the early days of humanity. It's a favorite tactic of adversaries everywhere - because it works."
This attack illustrates the importance of a defense-in-depth strategy with a combination of technical defenses, security policies and employee training. New-school security awareness training teaches your employees to follow security best practices so they can block social engineering attacks.
Blog post with links:
https://blog.knowbe4.com/coinbase-attack-used-social-engineering
[Free Phish Alert Button] Give Your Employees a Safe Way to Report Phishing Attacks with One Click!
Do your users know what to do when they receive a suspicious email?
Should they call the help desk, or forward it? Should they forward to IT including all headers? Delete and not report it, forfeiting a possible early warning?
KnowBe4's Phish Alert add-in button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click! And now, supports Outlook Mobile!
Phish Alert Button Benefits:
- Reinforces your organization's security culture
- Users can report suspicious emails with just one click
- Incident Response gets early phishing alerts from users, creating a network of "sensors"
- Email is deleted from the user's inbox to prevent future exposure
- Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)
Get the Phish Alert Button Now:
https://info.knowbe4.com/free-phish-alert-chn
What Are the 10 Leading Incident Response Vendors?
TechTarget had a good article. They said: "Get help deciding between using in-house incident response software or outsourcing to an incident response service provider, and review a list of leading vendor options.
"Incident response is a critical component of enterprise security. Knowing how to deal with unplanned and potentially disruptive events that affect the security and integrity of an organization's IT infrastructure can mean the difference between survival and going out of business.
"In order to successfully handle incident response, it is important to have the proper tools in place. Today, many organizations may also employ incident response service providers to offload the task.
"Let's look at how to decide between in-house or outsourced incident response, considerations to make in each scenario and lists of leading software and service providers.
Incident response: In-house or outsourced?
"Incident response cannot be completed by an all-in-one platform. It requires a mix of tools and technologies, ranging from endpoint products, to network security platforms, to specialized malware analysis tools, to software with automation capabilities.
"The majority of these tools are already in use by most organizations, including SIEMs, vulnerability scanners, endpoint detection and response (EDR), antimalware and firewalls. More recently, user behavior analytics (UBA); security orchestration, automation and response (SOAR); and extended detection and response (XDR) have joined the fold. If a company has these tools, it is better suited to complete its own incident response tasks."
The article goes on with hints and tips how to choose incident response software, and service providers. They also provide a list with leading incident response vendor platforms. Check out #7.
Full article at TechTarget:
https://www.techtarget.com/searchsecurity/feature/Top-10-incident-response-vendors
[NOTE] Important new PhishER Feature: Microsoft 365 Blocklist
With the new PhishER Blocklist feature, it's easy to create your organization's unique list of blocklist entries and dramatically improve your Microsoft 365 email filters without ever leaving the PhishER console. You can use reported messages to prevent future malicious email with the same sender, URL or attachment from reaching other users. Grab the new "no-reg" PDF datasheet:
https://www.knowbe4.com/hubfs/PhishER-Datasheet-D_EN-US.pdf
Oh, and while we are at it, here is another interesting list:
The 20 Coolest Risk, Threat Intelligence and Security Operations Companies of 2023. Check #11: https://www.crn.com/news/security/the-20-coolest-risk-threat-intelligence-and-security-operations-companies-of-2023-the-security-100/1
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: [BUDGET AMMO] The Implications of ChatGPT on Cybercrime. Yours Truly on Forbes:
https://www.forbes.com/sites/forbestechcouncil/2023/02/24/the-implications-of-chatgpt-on-cybercrime/
PPS: [Great 5-min Video For Execs] Multi-Factor Authentication Is (Not) 99 Percent Effective:
https://cybersecurityventures.com/multi-factor-authentication-is-not-99-percent-effective/
- Benjamin Franklin
- Benjamin Franklin
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-09-eye-opener-should-you-click-on-unsubscribe
A Special Case of Business Email Compromise: 'VEC'
Cloudflare warns that business email compromise (BEC) phishing has assumed a new form: vendor email compromise (VEC). The classic BEC case involves the impersonation of someone within an organization, taking advantage of the trust that builds up among co-workers to induce the victims to take some action–usually transferring funds, or compromising credentials, or installing malware–that's harmful to the organization.
VEC involves a similar abuse of trust. "Like business email compromise (BEC) attacks, VEC works by impersonating a trusted third party and sending a legitimate-sounding but malicious email to a target. While traditional BEC attacks usually claim to be from a trusted individual within the organization, VEC goes one step further: it impersonates vendors (or other trusted third parties) in order to trick the target into paying fraudulent invoices, disclosing sensitive data, or granting access to corporate networks and systems."
One way of thinking about VEC, Cloudflare explains, is to regard it as a "financial supply chain compromise." It tends to be more sophisticated than other forms of BEC if only because it requires some preparatory work and closer targeting of the victim. "VEC generally requires a greater understanding of existing business relationships — like ongoing project details, budget data, and financial transaction schedules.
"This research process may take weeks to months, but the potential payoff for the attacker is far greater than more generalized attack methods, as it can take a significantly longer time for the target to identify the attack and stop payments from going through."
And once the VEC scammers have decided on their target, and once they've cultivated an appropriate level of trust through such displays of familiarity with that target, "they can carry out further malicious actions: requesting payment for fake invoices, tampering with billing account details, gathering sensitive information about the targeted organization, and so on."
An important part of an effective defense against VEC is new-school security awareness training. Informed and properly skeptical personnel are far less likely to fall for the scam, and are far more likely to offer the scammers a target too tough to crack.
Blog post with links:
https://blog.knowbe4.com/a-special-case-of-business-email-compromise
Be a Certified Security Awareness and Culture Professional (SACP)™
Your organization's cyber threat landscape is changing lightning fast. So, your security awareness skills need to stay razor sharp, and are increasingly viewed as critical to protect your organization from human error.
You can now be a leader in the security awareness and culture profession. Earn H Layer's Security Awareness and Culture Professional (SACP)™ credential and demonstrate your competency to design and lead security awareness programs that build a sustained security-awareness culture.
Your Security Awareness and Culture Professional (SACP)™ credential is the only independent, vendor-neutral certification designed specifically for the newest in-demand job roles in security awareness.
Learn more about the SACP Exam. Check out the requirements. Don't wait. Apply today and become one of the first 1,000 professionals to earn your SACP Cert.
https://www.thehlayer.com/about-exam/
Europol Takes Down BEC Gang
A joint investigation supported by Europol has taken down a criminal organization responsible for stealing nearly 38 million euros in a single attack via CEO fraud.
"The criminal network, comprised of French and Israeli nationals, targeted companies located in France," Europol said in a statement. "In early December 2021, one of the suspects impersonated the CEO of a company specialized in metallurgy, based in the department of Haute-Marne in north-eastern France.
"The fraudster asked the company's accountant to make an urgent and confidential transfer of EUR 300,000 to a bank in Hungary. The fraud was discovered a few days later when the accountant, thinking he was acting on behalf of the company's CEO, attempted to make a transfer of EUR 500,000.
"The company filed a complaint, and the investigators subsequently found that the call from the alleged CEO came from a number in Israel." Europol describes another attack that targeted a French real estate company and resulted in the theft of 38 million euros (around 40.3 million US dollars).
"In late December 2021, a real estate developer based in Paris also fell victim to fraud with a similar modus operandi," Europol says. "The damages were much more significant in this case, however. To perpetrate the fraud, the suspects impersonated lawyers, saying they worked for a well-known French accounting company.
"After gaining the victim's trust, the fraudster requested a large, urgent and confidential transfer. Pretending to be consultants, they persuaded the Chief Financial Officer (CFO) to transfer millions of euros abroad. In total, they defrauded the company of almost EUR 38 million in a matter of days. Using a pre-existing money laundering scheme, these funds were quickly transferred to different European countries, then to China and finally to Israel."
New-school security awareness training can enable your employees to thwart sophisticated social engineering attacks.
Europol has the story:
https://www.europol.europa.eu/media-press/newsroom/news/franco-israeli-gang-behind-eur-38-million-ceo-fraud-busted
What KnowBe4 Customers Say
"Hi Stu, I appreciate you following up with me. Yes, I am a very happy camper. The support I've received from Zac has been phenomenal throughout the process of setting up our training and phishing campaigns.
"We are into our second phishing campaign, and it is going very well. It great to see how quickly our employees have become so vigilant in review and flagging emails with the PAB that they find suspicious - so much so that some legitimate emails are being flagged and I have to respond back to them and educate the employee on why the email is actually legitimate.
"I have high expectations for the products I use, and your team and product has not just met, but exceeded my expectations. All the best."
- S.A., Director of Technology
"Wendy, I wanted to share with you just how great the Account manager team has been through our years with KnowBe4! Christian M. has been managing our account for the last ~2 years and he has been incredible. I had 2 other account managers prior, and they all were just as wonderful.
"Sometimes it is easy to forget to keep up to date with everything going on with your product and company, but Christian is always there to let us know what is new and how it can benefit us.
"The company I work for is also a software vendor. I have begun to push that we use a similar process to you folks because of how great the process has been from my perspective. KnowBe4 really makes us feel like we are a partner rather than just someone who uses the product and it really makes all the difference in the world.
"I look forward to our continued partnership and thank you for creating such a great experience."
- T.E., IT Support Specialist
- [SURPRISING] New FTC Data Reveals Top Lies Told by Romance Scammers:
https://www.ftc.gov/news-events/news/press-releases/2023/02/new-ftc-data-reveals-top-lies-told-romance-scammers - Norway Seizes $5.84 Million in Cryptocurrency Stolen by Lazarus Hackers:
https://thehackernews.com/2023/02/norway-seizes-584-million-in.html - Russian accused of developing password-cracking tool extradited to U.S.:
https://therecord.media/russian-accused-of-developing-password-cracking-tool-extradited-to-us/ - Phishing Sites Use ChatGPT as Lure:
https://www.infosecurity-magazine.com/news/phishing-sites-and-apps-use/ - Russia targets Netherlands' North Sea Power infrastructure, says Dutch intelligence agency:
https://www.reuters.com/world/europe/russia-targets-netherlands-north-sea-infrastructure-says-dutch-intelligence-2023-02-20/ - How I Broke Into a Bank Account With an AI-Generated Voice:
https://www.vice.com/en/article/dy7axa/how-i-broke-into-a-bank-account-with-an-ai-generated-voice - A Year Into Russia's Invasion of Ukraine, We're Still Bracing for a Massive Cyberwar:
https://www.cnet.com/tech/services-and-software/a-year-into-russias-invasion-of-ukraine-were-still-bracing-for-a-massive-cyber-war/ - Feds warn about Russia-linked hacking group attacking health care:
https://www.medicaleconomics.com/view/feds-warn-about-russia-linked-hacking-group-attacking-health-care - White House Committee Advocates Collaboration, Consensus in Cybersecurity Standards:
https://www.nextgov.com/cybersecurity/2023/02/white-house-committee-advocates-collaboration-consensus-cybersecurity-standards/383209/ - FTC: Americans lost $8.8 billion to fraud in 2022 after 30% surge:
https://www.bleepingcomputer.com/news/security/ftc-americans-lost-88-billion-to-fraud-in-2022-after-30-percent-surge/
- Your Virtual Vaca to Greece and Turkey, cruising from Athens to Istanbul:
https://www.youtube.com/watch?v=NajG4v9UWTg - Your Virtual Vaca to the incredible Dolomites mountains, Italy in 8K HDR 60p:
https://www.youtube.com/watch?v=mTvhFQ3aT2U - Best Of Web. Luc Bergeron (Zapatou) does it again - this time with a fifth installment:
https://www.flixxy.com/best-of-web-5-hd-by-zapatou.htm?utm_source=4 - Penn & Teller FOOL US presents the French Alexandra Duvivier:
https://www.youtube.com/watch?v=tjZSG0lycr8 - The LockPicking Lawyer: "Police Handcuffs: Flawed, But Good Enough":
https://www.youtube.com/watch?v=49l8hQZO5gE - Supercar Blondie: "Rivian's New Electric SUV has Surprising Features":
https://www.youtube.com/watch?v=xQ319PFyO80&feature=youtu.be - Electricity? Hydrogen? Synthetic Fuel? What's The Future of Forward Motion?:
https://www.youtube.com/watch?v=J4EC8cDTvSg - Europe is Building a 57KM Tunnel Through a Mountain:
https://www.youtube.com/watch?v=kc29axOAzRs&feature=youtu.be - For Da Kids #1 - Family adopts a parrot. Now he won't stop talking:
https://youtu.be/tccIcKQ71Zs - For Da Kids #2 - Blind Cougar Was Scared Of Crashing Into Things Until Mom Came To The Rescue:
https://www.youtube.com/watch?v=oIbnk94t_ks - For Da Kids #3 - Shelter Puppy Waits Outside Her Scared Mom's Crate To Comfort Her:
https://www.youtube.com/watch?v=keWrHRagHyI - For Da Kids #4 - Woman says her groundhog acts like human toddler:
https://www.youtube.com/watch?v=nWKBqJZOdZQ - For Da Kids #5 - Guy Risks His Own Life To Save 3 Trapped Snakes. Kids do not do this at home:
https://www.youtube.com/watch?v=it8LomIg8Ng