CyberheistNews Vol 13 #12 [Heads Up] This Week's New SVB Meltdown Social Engineering Attacks

CyberheistNews Vol 13 #12 | March 21st, 2023

[Heads Up] This Week's New SVB Meltdown Social Engineering Attacks Stu Sjouwerman SACP

On Saturday March 11, I warned about the coming wave of phishing attacks that would undoubtedly follow the SVB collapse. We were not disappointed.

There is a raft of new registered domains that are SVB-related, for example login.svb[.]com and many others that will probably all be used for business email compromise (BEC) attacks.

Adi Ikan, CEO of Veriti, observed that "Phishing campaigns are leveraging SVB's recent collapse to impersonate the bank and its online services. We have observed an increase in the registration of fake phishing domains in the U.S. (88%), Spain (7%), France (3%) and Israel (2%), and we anticipate this number to grow."

INKY describes a phishing campaign that's impersonating (SVB) with phony DocuSign notifications: "Email recipients are told that the 'KYC Refresh Team' sent two malicious documents that require a signature. 'KYC' is a banking term that stands for 'Know Your Customer' or 'Know Your Client.' It's a mandatory process banks use to verify an account holder's identity.

Cyberwire Pro has a good summary. Their newsletter is a 'Stu's Warmly Recommended".
https://thecyberwire.com/stories/4880d3b8100c464f83fcf8d8ec8d3f23/svbs-collapse-and-the-potential-for-fraud

Train users about the risks. We have simulated phishing attack templates in your Current Events section with SVB-themes ready-made for you to send to your users.

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, April 5, @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

NEW! KnowBe4 Mobile Learner App - Users can now train anytime, anywhere!
NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
NEW! AI-Driven phishing and training recommendations for your end users
Did You Know? You can upload your own SCORM training modules into your account for home workers
Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, April 5, @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/4145100/57C034348C5523E4F556F1190504FEEC?partnerref=CHN

[Black Eye] The Lesson We Learned. Don't Let This Happen to You. #DMARC

Mea culpa. When you make a mistake, admit you made a mistake.

This week, we sent out a marketing email to many of our existing customers about our forthcoming, annual, very popular KB4-CON event.

We have been sending out these types of emails since day one of operations back in 2010. We have sent many thousands of these types of emails in the past without error. We have it down to an exact science…or so we thought.

Turns out even the best of intentions can have errors, and we made a big one.

When you send large audience marketing emails, you create a message and use your database of email addresses and names to send it out. Our email content was correct and so was our email address database, but we used an incorrect email address field that resulted in every sent email appearing as if it was a possible phishing attack. OUCH.

That is not a good look for an organization dedicated to defeating social engineering and phishing. Let me explain more.

Mistake Details

We had intended to send the email to every involved customer as being sent by that customer's existing Customer Success Manager (CSM), so the recipient could contact the appropriate KnowBe4 person if they had questions or needed more details.

Our customers are familiar with their CSM and often have an ongoing relationship. If this marketing email was done appropriately, the email would have had the CSM's name in what is known as the "Friendly From" and CSM's email address in the visible DISPLAY FROM field.

[CONTINUED] at the KnowBe4 Blog:
https://blog.knowbe4.com/black-eye-the-lesson-we-learned.-dont-let-this-happen-to-you.-dmarc

[MOBILE LEARNER APP] Security Awareness Training Anytime, Anywhere

What if you could manage the ongoing problem of social engineering with security awareness training anytime, anywhere? Now you can broaden the protection of your largest attack surface with 24/7 access to assigned training modules, giving your users flexibility to consume content when it's convenient for them.

Anytime, Anywhere Learning

The KnowBe4 Learner App enables your users to complete their security awareness and compliance training conveniently from their smartphones and tablets. You can now cover employees that don't typically have access to a desktop or laptop device by using the KnowBe4 Learner App. Keep your employees on track to reach their learning requirements with easy access to training that's available with just a few taps.

The KnowBe4 Learner App Provides:

Convenience and mobility - learn anytime, anywhere
Seamless localized learner experience from desktop to mobile
Increased user engagement and faster completion rates of your assigned training campaigns
Fingertip access to 100+ KnowBe4 training modules already optimized for mobile use

And the best part? There is no extra cost! The KnowBe4 Learner App is included with your training subscription and is available for Android and iOS devices.

Learn more about the KnowBe4 Learner App now!
https://www.knowbe4.com/mobile-learner-app

Microsoft Warns of Business Email Compromise Attacks Taking Just Hours

According to Microsoft's Security Intelligence team, a recent business email compromise attack (BEC) has shown that threat actors are quickening the pace of these attacks, with certain elements only taking a few minutes.

The rapid attack progression shows that potential victims will have significantly less time to identify any signs of fraud and take preventative measures. BEC attacks primarily use social engineering to impersonate a trusted individual to trick an employee into falling for their trap.

One wrong move from a user and your organization could be in crisis mode within minutes of a successful attack. Microsoft created this timeline of a recent attack that was reported. From the first sign-in to the deletion of the sent email, a total of 127 minutes had passed, reflecting a rush from the attacker's side. Screen Shot in blog post - link below.

Although Microsoft 365 Defender generated a warning about a BEC attack 20 minutes after the threat actor deleted the sent email and automatically disrupted the attack by disabling the user's account, there is still barely any time for your organization to respond quickly enough.

Javvad Malik, Security Awareness Advocate at KnowBe4, recently wrote about how BEC attacks should not be overlooked, and I couldn't agree more. New-school security awareness training gets your users more prepared to report these types of attacks into their day-to-day operations. Always remember that your users are your last line of defense!

Blog post with screenshot and links:
https://blog.knowbe4.com/business-email-compromise-attacks-take-hours

What Your Password Policy Should Be

You know passwords are still a necessary evil, despite recurring predictions that some new credentialing architecture will take over in just a few years' time. Until then, your goal is to craft password policies that mitigate as much risk as possible for both your employees and your organizations.

In this e-book, Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, details the pros and cons of password use. Roger explains how the implementation of supporting frameworks, such as MFA and password managers, can help you keep your organization locked down.

From common password attacks to what to put in place to stop them, he covers it all!

Download this e-book to learn:

What tactics bad actors use to hack passwords (and how to avoid them)
The pros and cons of password managers and multi-factor authentication and how they impact your risk
How to craft a secure password policy that addresses the most common methods of password attack
How to empower your end users to become your best last line of defense

Download Now:
https://info.knowbe4.com/wp-password-policy-should-be-chn

New CISA Cybersecurity Advisory in the #StopRansomware Series

CISA has a new warning regarding LockBit 3.0, and recommends these actions to mitigate cyber threats from ransomware:

Prioritize remediating known exploited vulnerabilities.
Train users to recognize and report phishing attempts.
Enable and enforce phishing-resistant multifactor authentication.

Here is the full advisory:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Cloudflare partners with KnowBe4 to equip organizations with real-time security coaching to avoid phishing attacks:
https://blog.cloudflare.com/knowbe4-emailsecurity-integration/

Quotes of the Week

"Be happy for this moment. This moment is your life."
- Omar Khayyám - Mathematician, Astronomer, Philosopher, Poet (1048 - 1131)

"Follow your own star!"
- Dante Alighieri - Poet (1265 - 1321)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-12-heads-up-this-weeks-new-svb-meltdown-social-engineering-attacks

Security News

A 240% Rise in Dynamic Phishing

Attackers are increasingly using techniques to prevent their phishing pages from being detected by security firms, a new report from BlueVoyant has found. The report found that in 2022 there was a 240% increase in phishing pages that attempted to redirect potential security researchers and bots away from the sites.

Redirecting Threat Hunters

"One of the more complicated ways threat actors evade detection involves multiple redirect paths, steering consumers to spoofed domains while redirecting presumed threat hunters or phishing analysts to an error page," the report says. "These evasion mechanisms include User Agent or IP restrictions and blacklisting, with significant emphasis placed on bot and crawler detection.

"The purpose of this type of redirection is to hide the phishing content on a single website by diverting threat hunters elsewhere, i.e, the target's official domain, a google search, etc."

Threat actors are also taking advantage of dynamic DNS providers to quickly spin up phishing pages on the cheap.

Dynamic DNS, Phishing Without a Domain

"Dynamic DNS hosting providers are particularly popular among threat actors because they provide a convenient platform to easily set up and host multiple phishing pages without having to register a domain," the researchers write.

"BlueVoyant has been tracking phishing activity leveraging this infrastructure since 2021, and found that 67% of all phishing attacks were hosted on dynamic DNS infrastructure by the end of that year, demonstrating the infrastructure's quick adoption and massive scale of use."

BlueVoyant has also observed a steady increase in SMS phishing (smishing). The researchers warn that attackers can buy SMS gateway scripts from criminal markets, then abuse legitimate SMS gateway providers to send out thousands of smishing messages.

"To carry out a successful smishing attack, threat actors require an automated tool that can send SMS messages in bulk," the report says. "SMS gateway scripts are sold on the deep and dark web as all-inclusive solutions, which are rather easy to operate, and require very little technical knowledge."

New-school security awareness training enables your employees to make smarter security decisions.

Blog post with links:
https://blog.knowbe4.com/a-240-rise-in-dynamic-phishing

Warning Customers About Social Engineering

It's a familiar story: scam artists impersonate a trusted brand, a trusted business or a trusted authority in emails and on bogus sites designed to exploit that very trust to commit fraud. Generally, this isn't the fault of the person or organization being impersonated. But it's worth remembering that there are practices and policies an organization can take to help keep their customers and other stakeholders protected from this kind of fraud.

There was an example of this recently from the cryptocurrency sector. The hardware crypto wallet provider Trezor warned its customers that there was an active phishing campaign in progress in which crooks were pretending to be Trezor in an attempt to steal users' private keys.

"The phishing campaign involves attackers posing as Trezor and contacting victims via phone calls, texts or emails claiming that there has been a security breach or suspicious activity on their Trezor account," Cointelegraph writes.

"'Trezor Suite has recently endured a security breach, assume all your assets are vulnerable," the fake message reads, inviting users to follow a phishing link to 'secure' their Trezor device.

"'Please ignore these messages as they are not from Trezor,' Trezor declared on Twitter, emphasizing that the firm will never contact its customers via calls or SMS. The firm added that Trezor had not found any evidence of a database breach."

Trezor, of course, hadn't sustained a security breach. It was just phishbait the scammers were dangling in front of their marks.

It's a useful reminder and a good example of how to warn customers. It's also good policy to make your customers aware that you're not going to send them links, not by call, text or email. New-school security awareness training can help you and your employees develop the kinds of security practices and policies that will help not only them, but your customers as well.

Blog post with links:
https://blog.knowbe4.com/warning-customers-about-social-engineering

What KnowBe4 Customers Say

"Hi Stu, Thanks for reaching out to see how we are getting on. We have been happy with the platform and received tremendous support from the CSM team. Thankfully no issues to report!"

- K.B., Head of Marketing & Communications

Stu, many thanks for the personal message. We're still just starting on our journey with your platform but so far the experience has been very positive. I'd like to especially mention Robbie C. and Beth P. who have been absolute superstars. They're a credit to your organization. Fingers crossed the platform is as well received within the business! 😊"

- L.C., Group Chief Technology Officer

The 10 Interesting News Items This Week