CyberheistNews Vol 13 #11 [Heads Up] Employees Are Feeding Sensitive Biz Data to ChatGPT, Raising Security Fears

Cyberheist News

CyberheistNews Vol 13 #11  |   March 14th, 2023

[Heads Up] Employees Are Feeding Sensitive Biz Data to ChatGPT, Raising Security FearsStu Sjouwerman SACP

Robert Lemos at DARKReading just reported on a worrying trend. The title said it all, and the news is that more than 4% of employees have put sensitive corporate data into the large language model, raising concerns that its popularity may result in massive leaks of proprietary information. Yikes.

I'm giving you a short extract of the story and the link to the whole article is below.

"Employees are submitting sensitive business data and privacy-protected information to large language models (LLMs) such as ChatGPT, raising concerns that artificial intelligence (AI) services could be incorporating the data into their models, and that information could be retrieved at a later date if proper data security isn't in place for the service.

"In a recent report, data security service Cyberhaven detected and blocked requests to input data into ChatGPT from 4.2% of the 1.6 million workers at its client companies because of the risk of leaking confidential info, client data, source code, or regulated information to the LLM.

"In one case, an executive cut and pasted the firm's 2023 strategy document into ChatGPT and asked it to create a PowerPoint deck. In another case, a doctor input his patient's name and their medical condition and asked ChatGPT to craft a letter to the patient's insurance company.

"And as more employees use ChatGPT and other AI-based services as productivity tools, the risk will grow, says Howard Ting, CEO of Cyberhaven.

"'There was this big migration of data from on-prem to cloud, and the next big shift is going to be the migration of data into these generative apps," he says. "And how that plays out [remains to be seen] — I think, we're in pregame; we're not even in the first inning.'"

Your employees need to be stepped through new-school security awareness training so that they understand the risks of doing things like this.

Blog post with links:

[New PhishER Feature] Immediately Add User-Reported Email Threats to Your M365 Blocklist

Now there's a super easy way to keep malicious emails away from all your users through the power of the KnowBe4 PhishER platform!

The new PhishER Blocklist feature lets you use reported messages to prevent future malicious email with the same sender, URL or attachment from reaching other users. Now you can create a unique list of blocklist entries and dramatically improve your Microsoft 365 email filters without ever leaving the PhishER console.

Join us THIS WEEK, Wednesday, March 15, @ 2:00 PM (ET) for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software. With PhishER you can:

  • NEW! Immediately add user-reported email threats to your Microsoft 365 blocklist from your PhishER console
  • Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4's email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: THIS WEEK, Wednesday, March 15, @ 2:00 PM (ET)

Save My Spot!

[SCAM OF THE WEEK] Is ChatGPT Your Next Financial Advisor?

ChatGPT, an artificial intelligence (AI) chatbot created by OpenAI, has risen in popularity since its release last year. Now, cybercriminals are using ChatGPT's popularity to lure you into phishing scams. In one of these scams, cybercriminals try to trick you with a fake new ChatGPT feature.

The scam starts with a phishing email informing you that ChatGPT has a new feature to help you invest in the stock market. If you click the link in the email, you'll be taken to a spoofed ChatGPT website and prompted to enter your contact information. Then, a representative will call you and request that you submit a payment to open your investment account. Unfortunately, if you submit a payment, that money won't help you invest in the stock market. Instead, cybercriminals will steal it to invest in their own malicious pursuits.

Follow the tips below to stay safe from similar scams:

  • Before you click a link, hover your mouse over it. Make sure that the link leads to a legitimate, safe website that corresponds with the content in the related email.
  • Be cautious of unexpected investment opportunities. Remember, if something seems too good to be true, it probably is!
  • Never submit payments to a bank account provided in an email, text message, or phone conversation. Instead, navigate to the organization's official website to submit a secure payment.

Remember, creating an effective human security layer with new-school security awareness training is the only way to ensure your users are able to spot a suspicious phishing email that leverages artificial intelligence.

Blog post with links:

[FREE RESOURCE KIT] Phishing Security Resources

Phishing emails increase in volume every month and every year, so we created this free resource kit to help you defend against attacks. Request your kit now to learn phishing mitigation strategies, what new trends and attack vectors you need to be prepared for, and our best advice on how to protect your users and your organization.

Here is what you'll get:

  • Access to our free on-demand webinar "Your Ultimate Guide to Phishing Mitigation," featuring Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist
  • Our most popular phishing whitepaper: Comprehensive Anti-Phishing Guide E-Book
  • A video that explains how to avoid phishing attacks
  • Our most recent quarterly infographic on Top-Clicked Phishing Email Subjects Infographic
  • Posters and digital signage to remind users about what to watch out for

Get Your Free Phishing Security Resources Now!

Three-Quarters of Vulnerabilities Used in Ransomware Attacks Were Discovered Before 2020

Despite a lot of focus on phishing and remote access as initial access vectors, new data shows the use of vulnerabilities is not only on the rise, but simply isn't being properly addressed.

The report, Ransomware 2023, put out jointly by cybersecurity vendors Securin, CybersecurityWorks, Ivanti, and Cyware, highlights the use of vulnerabilities within ransomware attacks. According to the report, vulnerabilities are alive and well in modern attacks:

  • 81 vulnerabilities exist that provide attackers with end-to-end access – from initial access to exfiltration – have been identified within popular operating systems, databases, storage, virtualization and firewall solutions.
  • 76% of vulnerabilities exploited by ransomware are old – really old. Many of them were discovered between 2010 and 2019!
  • The number of vulnerabilities associated with ransomware attacks has grown 19% with a total count of 344 since 2019

At present, according to the report, there are a total of 11,778 weaponized vulnerabilities documented; this reaches far beyond just ransomware and represents all known vulnerabilities including those that have been addressed with updates.

While the 81 vulnerabilities provide threat actors with relatively complete access for an attack, not every organization has the required platform to take advantage of one of these vulnerabilities. The result is many vulnerabilities only provide initial access, requiring that threat actors return to more traditional actions that include the need to compromise credentials – something that generally is accomplished using internal spear phishing.

So, even as I conclude this article about the threat of vulnerabilities, don't forget they only play a role in most cyberattacks and that phishing continues to be the most leveraged attack method – demonstrating the need for security awareness training to ensure when internally- or externally-based phishing attacks occur, users are certain to spot these malicious emails for their true purpose and never engage to enable the attacker.

Blog post with links:

[CASE STUDY] Gamifying the Way to Phishing Resilience at Whitbread

Multinational hospitality provider Whitbread understands just how vital knowledge of phishing email tactics is to organizational security. KnowBe4's simulated phishing capabilities and integrated training helped the information security awareness and communications manager improve phishing report rates and drive user engagement, reminding users of the vital part they play in Whitbread's security culture.

Learn how KnowBe4's simulated phishing platform with integrated training allowed them to:

  • Increase reported simulated phishing emails from 2% to 31% in less than a year
  • Improve communication between users and the infosec team
  • Enroll nearly a quarter of users in an inaugural simulated phishing tournament
  • Raise user engagement with security training and simulated phishing

Download this case study today!

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [Heads Up] The SVB Bankruptcy Is a Social Engineering Bonanza:

PPS: Regarding the SVB Meltdown - The Interesting History and Origin of the Word "Bankruptcy":

Quotes of the Week  
"It's not what happens to you, but how you react to it that matters."
- Epictetus - Philosopher (55 - 135)

"It's what we think we know that keeps us from learning."
- Claude Bernard (1813 - 1878)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Phishing for Ring Customers

INKY warns that a phishing campaign is targeting users of the Ring video security system. The scammers are sending very brief phishing emails instructing recipients to click on the attached HTML file in order to update their membership. The file will open a webpage hosted locally on the victim's machine, which helps the attackers avoid detection by security filters.

The HTML file contains a link to a phishing site that spoofs Ring's login page, and is designed to harvest the victim's credentials, credit card information, and social security number. After entering their information, the victim will be redirected to Ring's legitimate website.

INKY notes that users should instantly be wary of the phishing page, since it asks for their social security number.

"After completing the login process, customers are presented with a form to update credit card information," INKY says. "The form also asks for a social security number, which is suspicious considering vendors rarely ask for your social security number and hardly ever along with credit card info."

INKY offers the following recommendations to help users avoid falling for these attacks:

  • "An account issue can be resolved by visiting a company's website directly instead of clicking on email attachments and links.
  • "Use your browser's address bar to confirm that you're on a website instead of a local file.
  • "Confirm the domain of the website. In this case, recipients should be suspicious that the Ring login page is hosted on immobilmedia[.]com instead of ring[.]com.
  • "Be careful with display name spoofing. This example uses 'Ring Video Doorbell' as the display name, but recipients should be suspicious that the sender's email address isn't an authentic Ring email address.
  • "Always be suspicious when receiving HTML attachments from unknown senders. Simply opening the file can run malicious code on the recipient's computer."

New-school security awareness training enables your employees to recognize the signs of phishing and other social engineering attacks.

Blog post with links:

Google Phishing Pages Jump 1,560% YoY

Vade has released a report looking at phishing trends in 2022. The researchers say the top three most-impersonated brands last year were Facebook, Microsoft and Google.

"For the second consecutive year, Facebook was the top impersonated brand, edging out Microsoft," the researchers write. "With more than 25,000 unique branded phishing websites—Facebook represented nine percent of total phishing from this year's list. Microsoft finished as runner-up for the second year in a row, also representing nine percent of all phishing websites but accounting for nearly 2,000 less than Facebook.

"Like 2021, Microsoft remains the most impersonated brand in the corporate market. Google jumped into the #3 spot with 1,560 percent YoY growth in phishing pages, the second biggest leap among brands to crack the top 20 in this year's report."

The researchers explain that the growing popularity of Google's productivity suite accounts for the meteoric rise in Google-themed phishing pages.

"Productivity suites are an attractive target for phishers," Vade says. "With a suite of integrated applications, these digital ecosystems give phishers more opportunities to exploit users before and after an initial compromise. For example, phishers can impersonate integrated applications such as file-sharing solutions in an initial attack, as well as use compromised accounts to distribute malicious links and files through new channels, such as instant messaging tools."

The report also found that phishing attacks are becoming more targeted and attackers are increasingly abusing legitimate services to evade detection. "One example surfaced earlier this year when a French career website was targeted by phishers, who applied to job openings with resumes containing phishing links," the researchers write.

"With each application submitted, the career platform auto generated a response email that delivered the malicious resumes to recruiting organizations. Once victims open the PDF resume attachments, they're prompted to click malicious links that point to a phishing website, where hackers can harvest account credentials. The attack exploits the legitimate servers, IP address, and domain name of the website, making it more difficult for email filters and victims to detect."

Blog post with links:

What KnowBe4 Customers Say

"Hello Stu, I hope you do not mind me reaching out to you directly, but I felt I had to let you know what an asset Donne is to your team.

"She is always on hand to assist with any query we have (and there are a few) and always keeps the team here up-to-date with anything new from KnowBe4. She listens attentively to our requirements and always comes back to me with a timely response.

"Last week she went above and beyond to assist with an urgent matter we were dealing with, and though the request was a big ask she still turned it around in less than 24 hours. It is always a pleasure working with Donne and I wanted to let you know that she is exceptional - thank you Donne."

- P.D., Cyber Security Awareness & Training Manager

"Hey Stu, everything is going very well so far! Your product is well designed, and very intuitive to use. All of the training content I've seen so far is all very good, and we are in the middle of our first training campaign. I'm kind of looking forward to phishing my users again after this first training campaign is over.

"Your staff have been super helpful and have addressed any questions or issues we have had quickly and perfectly. They are well trained, knowledgeable, and a pleasure to talk to."

- M.C., Systems Administrator

The 10 Interesting News Items This Week
  1. Blackmamba: Using AI To Generate Polymorphic Malware:

  2. CISA funding to top $3 billion under Biden's FY 2024 budget:

  3. Unkillable UEFI malware bypassing Secure Boot enabled by unpatchable Windows flaw:

  4. Europol Hits Alleged Members of DoppelPaymer Ransomware Group:

  5. Fool's Gold: dissecting a fake gold market pig-butchering scam:

  6. Turla Hacking Group: A Persistent International Threat:

  7. New malware variant has "radio silence" mode to evade detection:

  8. WSJ: Ukraine's Software Warrior Brigade:

  9. Fake ChatGPT Chrome extension targeted Facebook Ad accounts:

  10. FBI investigates data breach impacting U.S. House members and staff:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Free Phishing Security Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews