CyberheistNews Vol 13 #14 [Eyes on the Prize] How Crafty Cons Attempted a 36 Million Vendor Email Heist

[Eyes on the Prize] How Crafty Cons Attempted a 36 Million Vendor Email Heist

The details in this thwarted VEC attack demonstrate how the use of just a few key details can both establish credibility and indicate the entire thing is a scam.

It's not every day you hear about a purely social engineering-based scam taking place that is looking to run away with tens of millions of dollars. But, according to security researchers at Abnormal Security, cybercriminals are becoming brazen and are taking their shots at very large prizes.

This attack begins with a case of VEC – where a domain is impersonated. In the case of this attack, the impersonated vendor's domain (which had a .com top level domain) was replaced with a matching .cam domain (.cam domains are supposedly used for photography enthusiasts, but there's the now-obvious problem with it looking very much like .com to the cursory glance).

The email attaches a legitimate-looking payoff letter complete with loan details. According to Abnormal Security, nearly every aspect of the request looked legitimate. The telltale signs primarily revolved around the use of the lookalike domain, but there were other grammatical mistakes (that can easily be addressed by using an online grammar service or ChatGPT).

This attack was identified well before it caused any damage, but the social engineering tactics leveraged were nearly enough to make this attack successful. Security solutions will help stop most attacks, but for those that make it past scanners, your users need to play a role in spotting and stopping BEC, VEC and phishing attacks themselves – something taught through security awareness training combined with frequent simulated phishing and other social engineering tests.

Blog post with screenshots and links:
https://blog.knowbe4.com/36-mil-vendor-email-compromise-attack

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, April 5, @ 2:00 PM (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

• NEW! KnowBe4 Mobile Learner App - Users can now train anytime, anywhere!
• NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
• NEW! AI-Driven phishing and training recommendations for your end users
• Did you know? You can upload your own SCORM training modules into your account for home workers
• Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, April 5, @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/4145100/57C034348C5523E4F556F1190504FEEC?partnerref=CHN3

Artificial Intelligence Makes Phishing Text More Plausible

Cybersecurity experts continue to warn that advanced chatbots like ChatGPT are making it easier for cybercriminals to craft phishing emails with pristine spelling and grammar, the Guardian reports.

Corey Thomas, CEO of Rapid7, stated, "Every hacker can now use AI that deals with all misspellings and poor grammar. The idea that you can rely on looking for bad grammar or spelling in order to spot a phishing attack is no longer the case. We used to say that you could identify phishing attacks because the emails look a certain way. That no longer works."

The Guardian points to a recent report issued by Europol outlining the potential malicious uses of AI technology.

"In Europol's advisory report the organisation highlighted a similar set of potential problems caused by the rise of AI chatbots including fraud and social engineering, disinformation and cybercrime," the Guardian says. "The systems are also useful for walking would-be criminals through the actual steps required to harm others, it said.

"'The possibility to use the model to provide specific steps by asking contextual questions means it is significantly easier for malicious actors to better understand and subsequently carry out various types of crime.'"

Max Heinemeyer, Chief Product Officer at Darktrace, said that AI technology will be particularly useful for spear phishing emails. "Even if somebody said, 'don't worry about ChatGPT, it's going to be commercialised', well, the genie is out of the bottle," Heinemeyer said.

"What we think is having an immediate impact on the threat landscape is that this type of technology is being used for better and more scalable social engineering: AI allows you to craft very believable 'spear-phishing' emails and other written communication with very little effort, especially compared to what you have to do before."

Heinemeyer added, "I can just crawl your social media and put it to GPT, and it creates a super-believable tailored email. Even if I'm not super knowledgeable of the English language, I can craft something that's indistinguishable from human."

Train your employees keep up with evolving social engineering tactics.

Blog post with screenshots and links:
https://blog.knowbe4.com/ai-makes-phishing-text-more-plausible

A Master Class on IT Security: Roger A. Grimes Teaches Ransomware Mitigation

Cyber-criminals have become thoughtful about ransomware attacks; taking time to maximize your organization's potential damage and their payoff. Protecting your network from this growing threat is more important than ever. And nobody knows this more than Roger A. Grimes, Data-Driven Defense Evangelist at KnowBe4.

With 30+ years of experience as a computer security consultant, instructor, and award-winning author, Roger has dedicated his life to making sure you're prepared to defend against quickly-evolving IT security threats like ransomware.

Join Roger for this thought-provoking webinar to learn what you can do to prevent, detect, and mitigate ransomware.

In this session you'll learn:

• How to detect ransomware programs, even those that are highly stealthy
• Official recommendations from the Cybersecurity & Infrastructure Security Agency (CISA)
• The policies, technical controls, and education you need to stop ransomware in its tracks
• Why good backups (even offline backups) no longer save you from ransomware

You can learn how to identify and stop these attacks before they wreak havoc on your network.

Date/Time: Wednesday, April 12, @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!
https://info.knowbe4.com/ransomware-mitigation-mc?partnerref=CHN

The Curious Case of the Faux U.N. Human Rights Groups

Olga Lautman reported on a very sophisticated social engineering tactic that completely falsifies Non-Government Organizations (NGOs).

She wrote: "The third sector is a central pillar of European democracy. The voices of third sector representatives (NGOs, foundations, and educational institutions) are considered by government officials when justifying policy positions and determining how resources and political capital are spent.

"Europe's third sector faces a severe crisis of credibility, due to the corruption of NGOs by oligarchic and kleptocratic wealth as well as by networks of illicit or malign finance or influence.

"The NGO Watchlist identifies suspicious NGOs and investigates their funders and links to government influence. The criteria for being watchlisted is having deep involvement with or funding from an individual or entity that has been sanctioned or criminally prosecuted (Russia-invoked sanctions are excluded).

"Additionally, a separate category of watchlisted NGOs includes those with strong links to individuals with criminal allegations leveled by a European, EU, U.S., or UK government authority."

Here is the latest watchlist by The Institute for European Integrity. I suggest you think about adding these URLs to your blocklists manually:
https://www.iei.ngo/ngo-watchlist

[World Premiere] KnowBe4's New Season 5 of Netflix-Style Security Awareness Video Series - "The Inside Man"

We're thrilled to announce the long-awaited fifth season of the award-winning KnowBe4 Original Series - "The Inside Man." This network-quality video training series educates and entertains with episodes that tie security awareness principles to key cybersecurity best practices.

From social engineering, CEO fraud and physical security, to social media threats, phishing and password theft, "The Inside Man" Season 5 teaches your users real-world applications that make learning how to make smarter security decisions engaging and fun.

When We Last Left Our Heroes… Season 5 picks up straight after the emotional finale of Season 4. In Romania a ruthless corporate lawyer is securing a vast Gothic castle for an unknown client.

Meanwhile the Good Shepherd team monitors the infiltration of a "has-been" social media company, "The Village," and the transatlantic security services are forced out of the shadows to make an offer to Mark and his team at Good Shepherd Security that will pit the team against an old adversary and rewrite history.

Watch Trailer Now:
https://info.knowbe4.com/inside-man-chn

[PODCAST] "CyberHeist News. Top Cybersecurity Newsletter."

I was interviewed in a podcast about CyberHeist News. The title is: "Top Cybersecurity Newsletter. Stu Sjouwerman, Editor-in-Chief" Just 11 minutes.

You can listen to it here:
https://soundcloud.com/cybercrimemagazine/cyberheist-news-stu-sjouwerman-knowbe4

Also, recommended reading is this: "The New Face of Fraud: FTC Sheds Light on AI-Enhanced Family Emergency Scams."

This is something you need to warn your loved ones about. It gets scary out there:
https://blog.knowbe4.com/the-new-face-of-fraud-ftc-sheds-light-on-ai-enhanced-family-emergency-scams

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Everything you ever wanted to know about password managers but were afraid to ask:
https://www.fastcompany.com/90871064/everything-you-ever-wanted-to-know-about-password-managers-but-were-afraid-to-ask

PPS: Human Detection and Response: A New Approach to Building a Strong Security Culture:
https://www.darkreading.com/risk/human-detection-and-response-a-new-approach-to-building-a-strong-security-culture

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-14-eyes-on-the-price-how-crafty-cons-attempted-a-36-million-vendor-email-heist

The FBI's Public Service Warning of Business Email Compromise

The U.S. FBI is warning of business email compromise (BEC) attacks designed to steal physical goods. While BEC attacks are typically associated with stealing money, criminals can use the same social engineering tactics to hijack deliveries of valuable materials.

The FBI says fraudsters are particularly interested in stealing construction materials, agricultural supplies, computer technology hardware and solar energy products.

"Criminal actors impersonate the email domains of legitimate U.S.-based companies using spoofed email domain addresses and the display names of current or former company employees, as well as fictitious names to initiate the bulk purchase of goods from vendors across the U.S.," the Bureau says.

"As a result, email messages sent to vendors appear to come from known sources of business. Thus, victimized vendors assume they are conducting legitimate business transactions fulfilling the purchase orders for distribution."

The criminals also take measures to prevent victims from discovering the theft until multiple orders have already been completed. "To further delay the discovery of the fraud, criminal actors apply and are often granted credit repayment terms known as Net-30 and Net-60 terms, providing fake credit references and fraudulent W-9 forms to vendors," the alert says.

"The repayment terms allow criminal actors to initiate additional purchase orders without providing upfront payment. Victimized vendors ultimately discover the fraud after attempts to collect payment are unsuccessful or after contacting the company they believed had initially placed the purchase order, only to be notified that the source of the emails was fraudulent."

The FBI offers the following recommendations to help thwart these attacks.

• "Directly calling a business's main phone line to confirm the identity and employment status of the email originator, rather than calling numbers provided via email contact
• "Ensuring the email domain address is associated with the business it claims to be from
• "Do not click on any links provided in emails, instead, type in the URL/domain of the source directly"

New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for targeted fraud like this.

Blog post with links:
https://blog.knowbe4.com/fbi-warning-business-email-compromise

Elon Musk, Woz, and Top AI Researchers Call For Pause on 'Giant AI Experiments'

Elon Musk, Steve Wozniak, and Andrew Yang are all among those who've signed an open letter urging for a slowdown in the development of AI technology. The letter warns of the danger that they believe advanced AI poses to humanity. The letter calls for the creation of independent regulators to ensure future systems are safe to deploy.

Some critics disagree though. The genie's out of the box. What happens if we throttle down and adversaries don't?

Here is the letter. I signed too:
https://futureoflife.org/open-letter/pause-giant-ai-experiments/