CyberheistNews Vol 13 #13 [Eye Opener] How to Outsmart Sneaky AI-Based Phishing Attacks



Cyberheist News

CyberheistNews Vol 13 #13  |   March 28th, 2023

[Eye Opener] How to Outsmart Sneaky AI-Based Phishing AttacksStu Sjouwerman SACP

Users need to adapt to an evolving threat landscape in which attackers can use AI tools like ChatGPT to craft extremely convincing phishing emails, according to Matthew Tyson at CSO.

"A leader tasked with cybersecurity can get ahead of the game by understanding where we are in the story of machine learning (ML) as a hacking tool," Tyson writes. "At present, the most important area of relevance around AI for cybersecurity is content generation.

"This is where machine learning is making its greatest strides and it dovetails nicely for hackers with vectors such as phishing and malicious chatbots. The capacity to craft compelling, well-formed text is in the hands of anyone with access to ChatGPT, and that's basically anyone with an internet connection."

Tyson quotes Conal Gallagher, CIO and CISO at Flexera, as saying that since attackers can now write grammatically correct phishing emails, users will need to pay attention to the circumstances of the emails.

"Looking for bad grammar and incorrect spelling is a thing of the past — even pre-ChatGPT phishing emails have been getting more sophisticated," Gallagher said. "We must ask: 'Is the email expected? Is the from address legit? Is the email enticing you to click on a link?' Security awareness training still has a place to play here."

Tyson explains that technical defenses have become very effective, so attackers focus on targeting humans to bypass these measures.

"Email and other elements of software infrastructure offer built-in fundamental security that largely guarantees we are not in danger until we ourselves take action," Tyson writes. "This is where we can install a tripwire in our mindsets: we should be hyper aware of what it is we are acting upon when we act upon it.

"Not until an employee sends a reply, runs an attachment, or fills in a form is sensitive information at risk. The first ring of defense in our mentality should be: 'Is the content I'm looking at legit, not just based on its internal aspects, but given the entire context?' The second ring of defense in our mentality then has to be, 'Wait! I'm being asked to do something here.'"

New-school security awareness training with simulated phishing tests enables your employees to recognize increasingly sophisticated phishing attacks and builds a strong security culture.

Remember: Culture eats strategy for breakfast and is always top-down.

Blog post with links:
https://blog.knowbe4.com/identifying-ai-enabled-phishing

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, April 5, @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! KnowBe4 Mobile Learner App - Users can now train anytime, anywhere!
  • NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
  • NEW! AI-Driven phishing and training recommendations for your end users
  • Did you know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory or SCIM integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, April 5, @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/4145100/57C034348C5523E4F556F1190504FEEC?partnerref=CHN2

Users Clicking on Multiple Mobile Phishing Links Increases 637% in Just Two Years

New data shows that phishing mobile devices as an attack vector is growing in popularity – mostly because it's increasingly working... in exponential terms.

We all know phishing is the number one attack vector. But we should wonder whether phishing attacks that hit a corporate desktop email client or a mobile device are more impactful. New data from security vendor Lookout's "The Global State of Mobile Phishing" report shows that mobile is on the rise – and the users falling for the attacks are the cause.

  • 21% of enterprise users experience mobile phishing attacks
  • 36% of U.S. users encounter mobile phishing attacks
  • More than 50% of all mobile devices were exposed to a mobile attack in 2022

Why is mobile so prevalent and why are attacks working?

Let's start by looking at some of the data around users engaging with mobile attack. According to the report, the percentage of users that engage with six or more phishing emails when using an enterprise device was only 1.6% back in 2020. Last year that number jumped to 11.8% - more than a 6x increase!

When it comes to personal devices, the increase isn't as staggering, but the numbers are still horrible – back in 2020, 14.3% of users clicked on six or more phishing links, with 27.6% doing so in 2022, a 93% increase.

According to the report, it appears that remote use of mobile devices is a part of the problem, with a greater issue being the use of personal devices (makes sense, as the user certainly isn't thinking about protecting the organization when on their own mobile phone, etc.)

This data makes it clear that security awareness training designed to educate users on the need to be continually vigilant, regardless of the device, is critical to an organization remaining protected against attacks.

Blog post with links:
https://blog.knowbe4.com/users-click-multiple-mobile-phishing-links

[E-Book] Comprehensive Anti-Phishing Guide

Spear phishing emails remain a top attack vector for bad actors, yet most organizations still don't have an effective strategy to stop them.

This enormous security gap leaves you open to business email compromise, session hijacking, ransomware and more. Don't get caught in a phishing net! Learn how to avoid having your end users take the bait.

In this E-Book Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, covers techniques you can implement now to minimize cybersecurity risk due to phishing and social engineering attacks.

He doesn't just cover one angle. He covers it from all angles!

Strategies include:

  • Developing a comprehensive, defense-in-depth plan
  • Technical controls all organizations should consider
  • Gotchas to watch out for with cybersecurity insurance
  • Benefits of implementing new-school security awareness training
  • Best practices for creating and implementing security policies

Get the E-Book now!
https://info.knowbe4.com/comprehensive-anti-phishing-guide-chn

When a USB Flash Drive Is Actually a Bomb

A journalist based in Ecuador recently used a USB flash drive that was actually a legitimate bomb.

While the journalist thankfully suffered only minor injuries, there have been other journalists at multiple news outlets that were sent the same USB flash drive in an envelope with the same explosive. In a statement by Xavier Chango, the National Head of Forensic Science, "It's a military-type explosive, but very small capsules."

Per the Ecuadorian government, these attacks were fueled by attempts to intimidate the media. In a statement, "Any attempt to intimidate journalism and freedom of expression is a loathsome action that should be punished with all the rigor of justice."

Although this is a very extreme case, the main lesson is to NEVER insert an unknown USB drive you are not familiar with.

Blog post with links:
https://blog.knowbe4.com/when-a-usb-flash-drive-is-actually-a-bomb

Hacking Multifactor Authentication: An IT Pro's Lessons Learned After Testing 150 MFA Products

Multifactor Authentication (MFA) can be a highly effective way to safeguard your organization's data, but that doesn't mean it's unhackable. And nobody knows that better than award-winning author and Data-Driven Defense Evangelist at KnowBe4, Roger A. Grimes. While researching his recent book Hacking Multifactor Authentication, Roger tested over 150 MFA solutions. And he wants to share what he learned with you!

Watch Roger, in this on-demand webinar, as he discusses the good, the bad, and the ugly lessons he learned from his research. He'll share with you what works, what doesn't, and what you should absolutely avoid.

In this webinar you'll learn about:

  • Differences between various MFA tools and why they matter
  • Real-world hacking techniques Roger used to expose MFA weaknesses
  • What makes MFA software weak or strong and what that means to you
  • Tips on choosing the best MFA software for your company
  • Why a strong human firewall is your best last line of defense

Get the details you need to know to become a better IT security defender.

Watch Now!
https://info.knowbe4.com/hacking-150-mfa-products-chn

The Future of Cyber Attacks? Speed, More Speed

By Roger A. Grimes.

I get asked all the time to "predict" the future of cybercrime. What will be the next big cyber attack? What will be the next paradigm platform shift that attackers will target? And so on.

And in general, I am nauseated by the question. Why?

Because there is no future. The future is now. Our biggest future threats are the same threats as we face today: social engineering and unpatched software. It has been that way for the entirety of computers. We do see momentary blips of attack types that are not those things (e.g., DOS boot sector viruses, password guessing, USB autorun malware, misconfigurations, etc.), but social engineering and unpatched software have been the number one and number two ways that devices and networks are compromised and there is nothing on the horizon that looks capable of changing that.

Want to most efficiently stop hackers and malware? Concentrate more aggressively on mitigating social engineering and patch your software (and firmware). That is literally over 90% of the job. It is cybersecurity defenders' inability to focus on that reality and respond correctly that allows hackers and malware to be as successful as it is today.

So, when anyone asks me what I think next year will look like, as compared to this year. Or what types of attacks I think we need to be worried about because many employees now work from home or use their personal devices – I just want to scream!

There are no new attacks. Your biggest worries are what you should have been worried about for decades. Get on it!

But what is changing is the speed of attacks...

[CONTINUED]
https://blog.knowbe4.com/the-future-of-cyber-attacks-speed


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [Budget Ammo] Why Organizations Need A Data-Driven Cybersecurity Strategy:
https://www.forbes.com/sites/forbestechcouncil/2023/03/21/why-organizations-need-a-data-driven-cybersecurity-strategy/?sh=3b1b797b3550

PPS: KnowBe4 Debuts Season 5 of Netflix-Style Security Awareness Series - 'The Inside Man':
https://blog.knowbe4.com/season-5-the-inside-man-debut

Quotes of the Week  
"Where there is shouting, there is no true knowledge."
- Leonardo da Vinci - Painter, Sculptor, Architect, Musician, Mathematician, Engineer, Inventor, Anatomist, Geologist, Cartographer, Botanist & Writer (1452 - 1519)

"Love all, trust a few, do wrong to none."
- William Shakespeare (1564 - 1616)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-13-eye-opener-how-to-outsmart-sneaky-ai-based-phishing-attacks

Security News

Cyber Insurers Quietly Remove Coverage for Social Engineering and Fraudulent Instruction Claims

As cyber insurers become more experienced in what kinds of claims are being presented, and the threat action details therein, specific types of coverages are no longer being included.

I've written quite a few times about specific cyber insurance claim cases that required going to court to settle. And in most of them, the courts sided with the insurer because the wording in the cyber insurance policy made certain it was covering specific use cases.

According to a recent article in JD Supra, cyber insurers are either eliminating the coverage entirely or are "have quietly added policy language that, in essence, makes it incredibly challenging, and in some instances impossible, to secure any actual recovery for the claim."

In addition, they are adding in specific verbiage that any kind of fraud involving change of payment instructions must include that the policyholder "independently verify" the request – that is, use another medium instead of simply taking the word of an email purporting to be someone with authority to make the request in the first place.

What we're seeing isn't greed or bad faith on the part of the cyber insurer; in fact quite the contrary – they aren't in the business of simply handing out checks, so they need to either put in specific requirements or remove/reduce coverages for cases where the risk is just too high because – yep, you guessed it – users come into the equation.

In the end, this is really the problem – even with all the security tech in the world in place, all it takes is a little social engineering and a user that's not paying attention and you have yourself a successful case of fraud, and its subsequent cyber insurance claim.

The answer here isn't to put more emphasis on the cyber insurer; instead the focus should be on preventing such attacks from being successful – accomplished by educating the user with security awareness training designed to teach them about scam tactics and their role in the organization's cyber security stance.

Blog post with links:
https://blog.knowbe4.com/cyber-insurers-remove-social-engineering-coverage

Microsoft Reply Phishing Attacks

A phishing campaign is impersonating Microsoft with emails that alert the recipient of an unusual sign-in to their Microsoft account, according to Jeremy Fuchs at Avanan. The emails inform the user that their account has been logged into from an IP address in Moscow, and encourage the user to click a button to report the suspicious activity.

"By clicking send, the user thinks they are reporting this activity for IT to investigate," Fuchs says. "Instead, the message goes directly to the hacker. This is where social engineering starts. The hacker will reply to the message, asking the end-user for log-in information to safeguard the account.

"That, of course, is the opposite of what will happen." Fuchs explains that the victim will be rushed through the process by the attacker. "By making it very simple for end-users to appear they are engaging with Microsoft, the user will be more likely to give over their information," Fuchs writes. "No one wants there to be someone messing with their account.

"The hacker will play along, before extracting enough information to actually login into their account. That makes this attack potentially challenging for users. In a hurry to ensure that no one actually compromises their account, users will try to resolve this alert quickly. That's exactly what hackers are hoping for."

Fuchs outlines the following best practices to help users avoid falling for these attacks:

  • "Always check sender address before replying to an email
  • "If receiving emails claiming to be Unusual Logins, ask IT before engaging
  • "Always hover over URLs to see if it's a link or a reply-to message."

New-school security awareness training can give your employees a healthy sense of skepticism so they can avoid falling for social engineering attacks.

Avanan has the story:
https://www.avanan.com/blog/the-microsoft-reply-attack

BEC Attacks Nearly Doubled Last Year

Secureworks has published a report looking at cybercrime over the course of 2022, finding that business email compromise (BEC) attacks nearly doubled last year. Additionally, attacks in which phishing was used as the initial access vector (IAV) increased by nearly three times last year.

"The proportion of total Secureworks IR engagements where the threat actor used phishing as the IAV increased significantly from 2021," the researchers write. "This increase is largely due to the total number of observed BEC incidents more than doubling between 2021 and 2022, as phishing was identified as the IAV in 85% of the 2022 BEC incidents. In most cases, the threat actors sent phishing emails to thousands of recipients that sometimes spanned multiple organizations."

Secureworks explains that since BEC attacks rely primarily on social engineering, they require little technical knowledge to carry out and can result in very large payouts.

"As of this publication, BEC poses the largest monetary threat to orgs," the researchers write. "In 2022, the U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) reported an increase of 65% in identified global exposed losses from BEC attacks between July 2019 and December 2021.

"While the payouts appear to be increasing, the technical aspects of BEC schemes remain relatively simple. News of the potential profits and low barrier to entry likely inspired other groups with little to no technical capabilities to begin conducting BEC attacks."

Mike McLellan, Director of Intelligence at Secureworks, added in a statement, "Business email compromise requires little to no technical skill but can be extremely lucrative. Attackers can simultaneously phish multiple organizations looking for potential victims, without needing to employ advanced skills or operate complicated affiliate models."

New-school security awareness training can teach your employees to follow security best practices so they can thwart targeted social engineering attacks.

Secureworks has the story:
https://www.secureworks.com/resources/rp-irs-learning-from-incident-response-team-2022-year-in-review

What KnowBe4 Customers Say

"Stu, thank you for providing KnowBe4 training to Cybercrime Support Network (CSN) again this year. The training is always excellent and it is a huge help in keeping our staff educated, and aware. The training is comprehensive and concise at the same time, as well as entertaining. I haven't seen anything that even comes close.

As a non-profit with a mission to serve individuals and small businesses impacted by cybercrime, we can be a target ourselves. Your training is a big part of our defense. Thanks again and if there is anything we can do for you please let me know."

-R.B., Chief Executive Officer

The 10 Interesting News Items This Week
  1. Report: Wartime hacktivism is spilling over into the financial services industry:
    https://www.scmagazine.com/analysis/risk-management/report-wartime-hacktivism-is-spilling-over-into-the-financial-services-industry

  2. Defeating Triple Extortion Ransomware: The Potent Combo of Ransomware and DDoS Attacks:
    https://www.akamai.com/blog/security/defeating-triple-extortion-ransomware

  3. WSJ: ChatGPT As A Hacking Tool And Winning A Hackathon:
    https://www.wsj.com/articles/chatgpt-helped-win-a-hackathon-96332de4?

  4. Feds Charge NY Man as BreachForums Boss "Pompompurin":
    https://krebsonsecurity.com/2023/03/feds-charge-ny-man-as-breachforums-boss-pompompurin/#more-63100

  5. ChatGPT Gut Check: Cybersecurity Threats Overhyped or Not?:
    https://www.darkreading.com/attacks-breaches/chatgpt-gut-check-openai-cybersecurity-threat-overhyped

  6. Ransomware 'likely' to target transportation OT systems, warns EU cyber agency:
    https://therecord.media/transportation-ransomware-european-union-enisa-report

  7. Research Highlights Cyber Security's Underestimated Role As a Business and Revenue Enabler:
    https://www.darkreading.com/operations/research-highlights-cyber-security-s-underestimated-role-as-a-business-and-revenue-enabler

  8. SEC proposes new cyber incident reporting rules for financial orgs:
    https://therecord.media/sec-cyber-incident-reporting-rules-finance

  9. Fresh Phish: Silicon Valley Bank Phishing Scams in High Gear:
    https://www.inky.com/en/blog/silicon-valley-bank-phishing-scams-in-high-gear/

  10. Just 1% of Nonprofit Domains Have Basic DMARC Email Security Protections:
    https://www.darkreading.com/attacks-breaches/nonprofit-domains-basic-dmarc-impersonation-protections

  11. [BONUS] Threat actors are experimenting with QR codes. KnowBe4 has QR code phishing templates for you:
    https://www.helpnetsecurity.com/2023/03/21/qr-scan-scams/

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews