CyberheistNews Vol 13 #14 [Eyes on the Prize] How Crafty Cons Attempted a 36 Million Vendor Email Heist



Cyberheist News

CyberheistNews Vol 13 #14  |   April 4th, 2023

[Eyes on the Prize] How Crafty Cons Attempted a 36 Million Vendor Email HeistStu Sjouwerman SACP

The details in this thwarted VEC attack demonstrate how the use of just a few key details can both establish credibility and indicate the entire thing is a scam.

It's not every day you hear about a purely social engineering-based scam taking place that is looking to run away with tens of millions of dollars. But, according to security researchers at Abnormal Security, cybercriminals are becoming brazen and are taking their shots at very large prizes.

This attack begins with a case of VEC – where a domain is impersonated. In the case of this attack, the impersonated vendor's domain (which had a .com top level domain) was replaced with a matching .cam domain (.cam domains are supposedly used for photography enthusiasts, but there's the now-obvious problem with it looking very much like .com to the cursory glance).

The email attaches a legitimate-looking payoff letter complete with loan details. According to Abnormal Security, nearly every aspect of the request looked legitimate. The telltale signs primarily revolved around the use of the lookalike domain, but there were other grammatical mistakes (that can easily be addressed by using an online grammar service or ChatGPT).

This attack was identified well before it caused any damage, but the social engineering tactics leveraged were nearly enough to make this attack successful. Security solutions will help stop most attacks, but for those that make it past scanners, your users need to play a role in spotting and stopping BEC, VEC and phishing attacks themselves – something taught through security awareness training combined with frequent simulated phishing and other social engineering tests.

Blog post with screenshots and links:
https://blog.knowbe4.com/36-mil-vendor-email-compromise-attack

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, April 5, @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! KnowBe4 Mobile Learner App - Users can now train anytime, anywhere!
  • NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
  • NEW! AI-Driven phishing and training recommendations for your end users
  • Did you know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, April 5, @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/4145100/57C034348C5523E4F556F1190504FEEC?partnerref=CHN3

Artificial Intelligence Makes Phishing Text More Plausible

Cybersecurity experts continue to warn that advanced chatbots like ChatGPT are making it easier for cybercriminals to craft phishing emails with pristine spelling and grammar, the Guardian reports.

Corey Thomas, CEO of Rapid7, stated, "Every hacker can now use AI that deals with all misspellings and poor grammar. The idea that you can rely on looking for bad grammar or spelling in order to spot a phishing attack is no longer the case. We used to say that you could identify phishing attacks because the emails look a certain way. That no longer works."

The Guardian points to a recent report issued by Europol outlining the potential malicious uses of AI technology.

"In Europol's advisory report the organisation highlighted a similar set of potential problems caused by the rise of AI chatbots including fraud and social engineering, disinformation and cybercrime," the Guardian says. "The systems are also useful for walking would-be criminals through the actual steps required to harm others, it said.

"'The possibility to use the model to provide specific steps by asking contextual questions means it is significantly easier for malicious actors to better understand and subsequently carry out various types of crime.'"

Max Heinemeyer, Chief Product Officer at Darktrace, said that AI technology will be particularly useful for spear phishing emails. "Even if somebody said, 'don't worry about ChatGPT, it's going to be commercialised', well, the genie is out of the bottle," Heinemeyer said.

"What we think is having an immediate impact on the threat landscape is that this type of technology is being used for better and more scalable social engineering: AI allows you to craft very believable 'spear-phishing' emails and other written communication with very little effort, especially compared to what you have to do before."

Heinemeyer added, "I can just crawl your social media and put it to GPT, and it creates a super-believable tailored email. Even if I'm not super knowledgeable of the English language, I can craft something that's indistinguishable from human."

Train your employees keep up with evolving social engineering tactics.

Blog post with screenshots and links:
https://blog.knowbe4.com/ai-makes-phishing-text-more-plausible

A Master Class on IT Security: Roger A. Grimes Teaches Ransomware Mitigation

Cyber-criminals have become thoughtful about ransomware attacks; taking time to maximize your organization's potential damage and their payoff. Protecting your network from this growing threat is more important than ever. And nobody knows this more than Roger A. Grimes, Data-Driven Defense Evangelist at KnowBe4.

With 30+ years of experience as a computer security consultant, instructor, and award-winning author, Roger has dedicated his life to making sure you're prepared to defend against quickly-evolving IT security threats like ransomware.

Join Roger for this thought-provoking webinar to learn what you can do to prevent, detect, and mitigate ransomware.

In this session you'll learn:

  • How to detect ransomware programs, even those that are highly stealthy
  • Official recommendations from the Cybersecurity & Infrastructure Security Agency (CISA)
  • The policies, technical controls, and education you need to stop ransomware in its tracks
  • Why good backups (even offline backups) no longer save you from ransomware

You can learn how to identify and stop these attacks before they wreak havoc on your network.

Date/Time: Wednesday, April 12, @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!
https://info.knowbe4.com/ransomware-mitigation-mc?partnerref=CHN

The Curious Case of the Faux U.N. Human Rights Groups

Olga Lautman reported on a very sophisticated social engineering tactic that completely falsifies Non-Government Organizations (NGOs).

She wrote: "The third sector is a central pillar of European democracy. The voices of third sector representatives (NGOs, foundations, and educational institutions) are considered by government officials when justifying policy positions and determining how resources and political capital are spent.

"Europe's third sector faces a severe crisis of credibility, due to the corruption of NGOs by oligarchic and kleptocratic wealth as well as by networks of illicit or malign finance or influence.

"The NGO Watchlist identifies suspicious NGOs and investigates their funders and links to government influence. The criteria for being watchlisted is having deep involvement with or funding from an individual or entity that has been sanctioned or criminally prosecuted (Russia-invoked sanctions are excluded).

"Additionally, a separate category of watchlisted NGOs includes those with strong links to individuals with criminal allegations leveled by a European, EU, U.S., or UK government authority."

Here is the latest watchlist by The Institute for European Integrity. I suggest you think about adding these URLs to your blocklists manually:
https://www.iei.ngo/ngo-watchlist

[World Premiere] KnowBe4's New Season 5 of Netflix-Style Security Awareness Video Series - "The Inside Man"

We're thrilled to announce the long-awaited fifth season of the award-winning KnowBe4 Original Series - "The Inside Man." This network-quality video training series educates and entertains with episodes that tie security awareness principles to key cybersecurity best practices.

From social engineering, CEO fraud and physical security, to social media threats, phishing and password theft, "The Inside Man" Season 5 teaches your users real-world applications that make learning how to make smarter security decisions engaging and fun.

When We Last Left Our Heroes… Season 5 picks up straight after the emotional finale of Season 4. In Romania a ruthless corporate lawyer is securing a vast Gothic castle for an unknown client.

Meanwhile the Good Shepherd team monitors the infiltration of a "has-been" social media company, "The Village," and the transatlantic security services are forced out of the shadows to make an offer to Mark and his team at Good Shepherd Security that will pit the team against an old adversary and rewrite history.

Watch Trailer Now:
https://info.knowbe4.com/inside-man-chn

[PODCAST] "CyberHeist News. Top Cybersecurity Newsletter."

I was interviewed in a podcast about CyberHeist News. The title is: "Top Cybersecurity Newsletter. Stu Sjouwerman, Editor-in-Chief" Just 11 minutes.

You can listen to it here:
https://soundcloud.com/cybercrimemagazine/cyberheist-news-stu-sjouwerman-knowbe4

Also, recommended reading is this: "The New Face of Fraud: FTC Sheds Light on AI-Enhanced Family Emergency Scams."

This is something you need to warn your loved ones about. It gets scary out there:
https://blog.knowbe4.com/the-new-face-of-fraud-ftc-sheds-light-on-ai-enhanced-family-emergency-scams


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Everything you ever wanted to know about password managers but were afraid to ask:
https://www.fastcompany.com/90871064/everything-you-ever-wanted-to-know-about-password-managers-but-were-afraid-to-ask

PPS: Human Detection and Response: A New Approach to Building a Strong Security Culture:
https://www.darkreading.com/risk/human-detection-and-response-a-new-approach-to-building-a-strong-security-culture

Quotes of the Week  
"This I believe: That the free, exploring mind of the individual human is the most valuable thing in the world. And this I would fight for: the freedom of the mind to take any direction it wishes, undirected. And this I must fight against: any idea, religion, or government which limits or destroys the individual."
- John Steinbeck - Writer (1902 - 1968)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-14-eyes-on-the-price-how-crafty-cons-attempted-a-36-million-vendor-email-heist

Security News

The FBI's Public Service Warning of Business Email Compromise

The U.S. FBI is warning of business email compromise (BEC) attacks designed to steal physical goods. While BEC attacks are typically associated with stealing money, criminals can use the same social engineering tactics to hijack deliveries of valuable materials.

The FBI says fraudsters are particularly interested in stealing construction materials, agricultural supplies, computer technology hardware and solar energy products.

"Criminal actors impersonate the email domains of legitimate U.S.-based companies using spoofed email domain addresses and the display names of current or former company employees, as well as fictitious names to initiate the bulk purchase of goods from vendors across the U.S.," the Bureau says.

"As a result, email messages sent to vendors appear to come from known sources of business. Thus, victimized vendors assume they are conducting legitimate business transactions fulfilling the purchase orders for distribution."

The criminals also take measures to prevent victims from discovering the theft until multiple orders have already been completed. "To further delay the discovery of the fraud, criminal actors apply and are often granted credit repayment terms known as Net-30 and Net-60 terms, providing fake credit references and fraudulent W-9 forms to vendors," the alert says.

"The repayment terms allow criminal actors to initiate additional purchase orders without providing upfront payment. Victimized vendors ultimately discover the fraud after attempts to collect payment are unsuccessful or after contacting the company they believed had initially placed the purchase order, only to be notified that the source of the emails was fraudulent."

The FBI offers the following recommendations to help thwart these attacks.

  • "Directly calling a business's main phone line to confirm the identity and employment status of the email originator, rather than calling numbers provided via email contact
  • "Ensuring the email domain address is associated with the business it claims to be from
  • "Do not click on any links provided in emails, instead, type in the URL/domain of the source directly"

New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for targeted fraud like this.

Blog post with links:
https://blog.knowbe4.com/fbi-warning-business-email-compromise

Elon Musk, Woz, and Top AI Researchers Call For Pause on 'Giant AI Experiments'

Elon Musk, Steve Wozniak, and Andrew Yang are all among those who've signed an open letter urging for a slowdown in the development of AI technology. The letter warns of the danger that they believe advanced AI poses to humanity. The letter calls for the creation of independent regulators to ensure future systems are safe to deploy.

Some critics disagree though. The genie's out of the box. What happens if we throttle down and adversaries don't?

Here is the letter. I signed too:
https://futureoflife.org/open-letter/pause-giant-ai-experiments/

Younger Employee Oversharing as a Risk to Information Security

Younger employees need to be wary of oversharing company information on social media, according to John Karabin, senior director of cybersecurity at NTT Ltd.

In an article for SmartCompany, Karabin explained that while younger users are typically more acclimated to new technologies, they may also be more distracted by them.

"Education about cybersecurity needs to start early," Karabin says. "With the younger generation now having access to the internet and social media at an early age, they are known for juggling multiple tasks and devices at the same time, which can lead to a lack of focus and attention to detail.

"This results in young adults being more susceptible to phishing scams and other cyber threats that trick the user into providing sensitive information or access to their devices. Therefore, it is even more crucial to raise awareness of threats and vulns they are exposed to and develop a culture of questioning and research."

Likewise, organizations should provide their employees with training so they can stay aware of new types of cyberattacks.

"While the younger employees are aware of the types of cyber attacks like phishing and malware, cyber threat actors are stepping up their criminal activities and looking for unique ways to exploit employees," Karabin writes.

"Cyber threats can now come in all shapes and forms, through emails, text messages and website pop-ups. For younger generations entering the workforce, businesses should implement a cybersecurity training program that shares the common forms of cyber attacks, ways to identify a cyber threat, and cyber security best practices, it will ensure that every member is aware of the potential threats they are exposed to and the severity of a cyberattack.

"Cybersecurity training programs help to cultivate a cyber secure culture and bring awareness to every employee on the importance of remaining vigilant."

New-school security awareness training can teach your employees to follow security best practices so they can avoid falling for social engineering attacks.

Blog post with links:
https://blog.knowbe4.com/oversharing-risk-to-information-security

What KnowBe4 Customers Say

"Hi Stu, everything is going well. All of your staff have been incredibly warm, helpful, and knowledgeable. This is the 2nd organization in which I've implemented KnowBe4 and it has been very successful in each environment. Thanks for making a cool product and helping educate people!"

- M.S., Manager Technology Operations


"Stu, So far it has been fabulous. Erika has been a pleasure to work with. The best onboarding experience I have ever had. Also appreciate the book."

- W.K., Compliance and Information Security Officer


"Good afternoon Stu, Thanks for reaching out... Timothy B. and Monika L. have been amazing helping get things moving forward. Everything is rolled out and working well, of course we have had a few headaches, but it's to be expected with any global deployment until you have a handle on the product and how it does things.

"Already worked on a few tickets with the support team and even provided some feature requests that I think would just make management of the platform even better. Glad we were able to switch from [REDACTED] to KB4!!"

- T.A., Cybersecurity Director

The 10 Interesting News Items This Week
  1. 'Vulkan files' leak reveals Putin's global and domestic cyberwarfare tactics:
    https://www.washingtonpost.com/national-security/2023/03/30/russian-cyberwarfare-documents-vulkan-files/

  2. Microsoft Security Copilot harnesses AI to give superpowers to cybersecurity fighters:
    https://www.zdnet.com/article/microsoft-security-copilot-harnesses-ai-to-give-superpowers-to-cybersecurity-fighters/

  3. North Dakota is first state to approve required cybersecurity education:
    https://www-kxnet-com.cdn.ampproject.org/c/s/www.kxnet.com/news/state-news/north-dakota-is-first-state-to-approve-required-cybersecurity-education/amp/

  4. Russia Supplies Iran With Cyber Weapons as Military Cooperation Grows:
    https://www.wsj.com/articles/russia-supplies-iran-with-cyber-weapons-as-military-cooperation-grows-b14b94cd

  5. Cyberattacks on the high seas? Norwegian sailors, researchers sound a warning:
    https://therecord.media/cyberattacks-on-the-high-seas

  6. Emotet malware distributed as fake W-9 tax forms from the IRS:
    https://www.bleepingcomputer.com/news/security/emotet-malware-distributed-as-fake-w-9-tax-forms-from-the-irs/

  7. U.S. military needs 7th branch just for cyber, current and former leaders say:
    https://therecord.media/us-cyber-force-creation-proposed-mcpa

  8. Think ransomware gangs won't thrive this year? Think again, experts say:
    https://www.washingtonpost.com/politics/2023/03/30/think-ransomware-gangs-wont-thrive-this-year-think-again-experts-say/

  9. Another year, another North Korean malware-spreading, crypto-stealing gang:
    https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage

  10. [HUMOR] Xi, Putin declare intent to rule the world of AI, infosec:
    https://www.theregister.com/2023/03/22/russia_china_joint_statement/

  11. [BONUS]: Something fun for a change! The Cybersecurity Toy Store:
    https://www.cisotopia.com/

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews