CyberheistNews Vol 13 #20 [Foot in the Door] The Q1 2023's Top-Clicked Phishing Scams | INFOGRAPHIC

Cyberheist News

CyberheistNews Vol 13 #20  |   May 16th, 2023

[Foot in the Door] The Q1 2023's Top-Clicked Phishing Scams | INFOGRAPHICStu Sjouwerman SACP

KnowBe4's latest reports on top-clicked phishing email subjects have been released for Q1 2023. We analyze "in the wild" attacks reported via our Phish Alert Button, top subjects globally clicked on in phishing tests, top attack vector types, and holiday email phishing subjects.

IT and Online Services Emails Drive Dangerous Attack Trend

This last quarter's results reflect the shift to IT and online service notifications such as laptop refresh or account suspension notifications that can affect your end users' daily work.

Cybercriminals are constantly increasing the damage they cause to organizations by luring unsuspecting employees into clicking on malicious links or downloading fake attachments that seem realistic. Emails that are disguised as coming from an internal source, such as the IT department, are especially dangerous because they appear to come from a trusted place where an employee would not necessarily question it or be as skeptical.

Building up your organization's human firewall by fostering a strong security culture is essential to outsmart bad actors. The report covers the following:

  • Common "In-The-Wild" Emails for Q1 2023
  • Top Phishing Email Subjects Globally
  • Top 5 Attack Vector Types
  • Top 10 Holiday Phishing Email Subjects in Q1 2023

This post has a full PDF infographic you can download and share with your users:

[New PhishER Feature] Immediately Add User-Reported Email Threats to Your M365 Blocklist

Now there's a super easy way to keep malicious emails away from all your users through the power of the KnowBe4 PhishER platform!

The new PhishER Blocklist feature lets you use reported messages to prevent future malicious email with the same sender, URL or attachment from reaching other users. Now you can create a unique list of blocklist entries and dramatically improve your Microsoft 365 email filters without ever leaving the PhishER console.

Join us TOMORROW, Wednesday, May 17, @ 2:00 PM (ET) for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.

With PhishER you can:

  • NEW! Immediately add user-reported email threats to your Microsoft 365 blocklist from your PhishER console
  • Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4's email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, May 17, @ 2:00 PM (ET)

Save My Spot!

[Finger on the Trigger] How the FBI Nuked Russian FSB's Snake Data Theft Malware

The Five Eyes member nations' cybersecurity and intelligence agencies dismantled the infrastructure of the Snake cyber-espionage malware that was operated by Russia's Federal Security Service (FSB).

The Snake malware, initially known as "Uroburos" was developed in late 2003, and the first versions of the implant were completed by early 2004. Russian state hackers began using the malware in their attacks shortly after.

The Snake peer-to-peer botnet had infected computers of some NATO member governments. The malware was traced back to a unit within Center 16 of the FSB, which is the infamous Russian Turla hacking group. The botnet was disrupted due to a collaborative effort called Operation MEDUSA.

Attorney General Merrick Garland announced in a press release that the Justice Department, with the help of international partners, has dismantled a global network of malware-infected computers that were being used for cyber-espionage by the Russian government.

This activity had been going on for nearly two decades and targeted both the United States and our NATO allies. Court documents unsealed today in the form of an affidavit and search warrant show that U.S. officials had been tracking the Snake and Snake-related malware tools for almost 20 years.

Additionally, they monitored Russian Turla hackers who used Snake from an FSB facility in Ryazan, Russia. Snake, which is considered the most advanced malware implant used by FSB for long-term cyber espionage, allowed remote installation of malware on compromised devices, stealing sensitive documents and auth credentials, maintaining persistence and hiding malicious activities.

Five Eyes cybersecurity and intel agencies have issued a joint advisory with information to help detect and remove Snake malware from networks.

Article continues describing the self-destruct command and initial access vector:


Here is the CISA technical background, fascinating reading:

Roger Grimes SecurityInfoWatch Article: "Fed takedowns continue to frustrate cybercriminals":

[Free Resource Kit] Password Security Resources

Password threats leave you open to phishing and social engineering attacks, so we created this free resource kit to help you defend against vulnerabilities. Request your kit now for your free resources from KnowBe4 experts Kevin Mitnick, Chief Hacking Officer, and Roger A. Grimes, Data-Driven Defense Evangelist.

Learn about the real risks of weak passwords, why password management is key to building a strong security culture, and our best advice on how to protect your users and your organization.

Here is what you'll get:

  • Three Password Hacking Demo Videos from Kevin Mitnick, KnowBe4's Chief Hacking Officer
  • Access to our free on-demand webinar The Good, the Bad and the Truth About Password Managers featuring Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist
  • Our most popular password whitepaper: What Your Password Policy Should Be
  • A Password Best Practices Guide to share with your users
  • Posters and digital signage to remind users the importance of good password hygiene

Get Your Free Password Security Resources Now!

Munich Re: '3X Growth Estimated in Cyber Crime Costs Over the Next 4 Years'

As cyber attacks continue to grow in sophistication and frequency, cyber insurers are expecting their market to double in the next two years.

I've spent a lot of time here educating you on attack specifics, industry trends, and the impacts felt by attacks.

I've also talked quite a bit about cyber insurance and the recent trends. But seldom have we been able to combine the two and present the state of cyber attacks from an insurer's perspective.

Ransomware by far the leading cause of cyber insurance losses

Cyber Insurer Munich Re recently released their "Cyber insurance: Risks and Trends 2023" report which provides us with some insight into the state of attacks and the impact on cyber insurance. According to the report "ransomware was, by far, the leading cause of cyber insurance losses," making it primarily responsible for the projected massive growth in cyber insurance – which is estimated to have been a market size of $11.9 billion in 2022 and projected to reach $33.3 billion by 2027.

"3x growth estimated in cyber crime costs over the next four years"

There's a 3x growth estimated in cyber crime costs over the next four years and a 3x growth in the cyber insurance market in the same timeframe. This means that organizations should expect both a rise in the frequency of attacks in the coming years, as well as an increase in the cost of cyber insurance.

Rises in insurance costs should be a clear indicator that spending budget on prevention methods (that include security awareness training) is far better than putting all your eggs in the cyber insurance basket.

Blog post with links:

Does Your Domain Have an Evil Twin?

Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it's a top priority that you monitor for potentially harmful domains that can spoof your domain.

Our Domain Doppelgänger tool makes it easy for you to identify your potential "evil domain twins" and combines the search, discovery, reporting and risk indicators so you can take action now. Better yet, with these results, you can now generate a real-world online assessment test to see what your users are able to recognize as "safe" domains for your organization.

With Domain Doppelgänger, you can:

  • Search for existing and potential look-alike domains
  • Get a summary report that identifies the highest to lowest risk attack potentials
  • Generate a real-world "domain safety" quiz based on the results for your end users

Domain Doppelgänger helps you find the threat before it is used against you.

Find out now!

[INFOGRAPHIC] 10 Tips for Running a Successful Compliance Training Program

Compliance training is often seen as a chore that organizations just need to get through, but it cannot be ignored. A report from GlobalScape found that organizations lose an average of $4 million in revenue due to just one non-compliance event.

You may have faced roadblocks to implementing a successful compliance training program in the past including low employee engagement and completion, limited resources and obtaining executive support.

KnowBe4's Chief Learning Officer, John Just, focuses on helping our customers overcome challenges with compliance training programs. Based on his years of experience in the learning and training industry, he shares his top 10 tips to run a successful compliance training program.

Apply these tips to your program today and be one step closer to a successful compliance training program!

View and download the Infographic here. No registration required:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: By yours truly: "Add 'prompt' to the long list of injection attacks":

Quotes of the Week  
"It is a narrow mind which cannot look at a subject from various points of view."
- George Eliot, English Novelist (1819 – 1880)

"Look at situations from all angles, and you will become more open."
- Dalai Lama (born 1935)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Number of Ransomware Victim Organizations Nearly Doubles in March

New data shows a resurgence in successful ransomware attacks with organizations in specific industries, countries and revenue bands being the target.

While every organization should always operate under the premise that they may be a ransomware target on any given day, it's always good to see industry trends to paint a picture of where cybercriminals are currently focusing their efforts.

This provides organizations with the ability to enhance security measures today, whether they are currently a target or not, ensuring preparedness for when they eventually become one.

In third-party risk vendor Black Kite's "2023 Ransomware Threat Landscape Report," we see some interesting trends around successful ransomware attacks today:

  • March of this year saw 410 ransomware victim organizations – nearly double that of April of last year, with only 208
  • The U.S. dominated as the primary focus, with 1171 victim organizations representing 43% of the total victims reported, with the UK, Germany, France, Italy, and Spain combined making up around 20% of victim organizations
  • The largest group of victim organizations by revenue resided in the $50-60 million range, with the next two groupings in the $40-50 million and $60-70 million ranges, respectively
  • Manufacturing topped the list of industries, with "Professional, Scientific, and Technical Services" coming in second, representing nearly 35% of all victim organizations

In summary, it appears like cybercriminals are focused on mid-market, U.S.-based organizations that likely have a material amount of intellectual property and/or sensitive data.

This, of course, doesn't mean if you're not in that specific demographic you're off the hook; nothing could be further from the truth. The Black Kite data shows where the focus is today. But there's always a new player looking for a niche victim demographic they can nestle themselves into, making it necessary to shore up all security – including your user's vigilance against phishing and social engineering attacks via Security Awareness Training.

Blog post with links and graphics:

Spain's National Police Take Down a Phishing Gang

A phishing (by email) and smishing (by SMS text) operation in Madrid, Seville and Guadalajara has been taken down by the National Police of Spain. Over 40 arrests have been made on charges of, as the National Police's announcement states, "belonging to a criminal organization, bank scam, documentary falsification, identity theft, and money laundering."

That bag of 40 (alleged) miscreants includes "two hackers, 15 members of a criminal organization, and another 23 people involved in illegal financial operations in Madrid and Seville for alleged bank scams."

Some 300,000 people are believed to have been defrauded of at least €700,000. The gang involved is Los Trinitarios, "the Trinitarians," and while the criminal organization was heavily involved in cybercrime, those crimes were a sideline, intended mainly to fund expenses the gang incurred in its other conventional criminal activity: "purchase of narcotic substances, financing of meetings and parties of the band, purchase of weapons and payment of lawyers or sending money to members in prison to cover their expenses," said the National Police. (They characterized these as "the group's usual expenses").

The gang would use funds stolen by social engineering to purchase cryptocurrency which they'd then convert to fiat currency with the aid of money mules. The typical phishbait was a communication to the victims that they needed to resolve a security issue with their bank account.

While it's interesting that phishing and smishing appeared to fulfill the function of paying the gang's operational costs, it's also worth noting that the techniques the gang used involved no great novelty. As is so often the case, new school security awareness training can help people recognize a phishing attempt in time to spit the hook.

Blog post with links:

What KnowBe4 Customers Say

"Bonjour and thanks for reaching out. Yes, we are currently in production using the phishing module. The deployment was smooth, unless couple of technical issues where we had all of the support required from your technical team.

Special thanks to Ayla, she is very resourceful and always available when we need critical support and advice. Regarding the training aspect, we have someone reviewing the module and he is planning to deploy this capability in the near future. Thanks again for the follow-up and have a nice summer!"

- L.N., Security Project Manager

The 10 Interesting News Items This Week
  1. FBI takes down Russia's sophisticated 20-year-old malware network known as "Snake":

  2. Microsoft enforces number matching to fight MFA fatigue attacks:

  3. White House challenges hackers to break top AI models at DEF CON 31:

  4. Senator Asks Big Banks How They're Going to Stop AI Cloned Voices From Breaking Into Accounts:

  5. New phishing-as-a-service tool "Greatness" already seen in the wild:

  6. BEC Campaign via Israel Spotted Targeting Large Multinational Companies:

  7. Mastermind Behind Twitter 2020 Hack Pleads Guilty and Faces up to 70 Years in Prison:

  8. Feds seize 13 more DDoS-for-hire platforms in ongoing international crackdown:

  9. Associated Press: "Video does not show Boston Dynamics fighting robot":

  10. [SECURITY] Vint Cerf on 3 TCP/IP Mistakes he made:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Free Phishing Security Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews