CyberheistNews Vol 13 #23 [Wake-Up Call] It's Time to Focus More on Preventing Spear Phishing

Cyberheist News

CyberheistNews Vol 13 #23  |   June 6th, 2023

[Wake-Up Call] It's Time to Focus More on Preventing Spear PhishingStu Sjouwerman SACP

Fighting spear phishing attacks is the single best thing you can do to prevent breaches. Social engineering is involved in 70% to 90% of successful compromises. It is the number one way that all hackers and malware compromise devices and networks. No other initial root cause comes close (unpatched software and firmware is a distant second being involved in about 33% of attacks).

A new, HUGE, very important, fact has been gleaned by Barracuda Networks which should impact the way that EVERYONE does security awareness training. Everyone needs to know about this fact and react accordingly.

This is that fact: "...spear phishing attacks that use personalized messages... make up only 0.1% of all email-based attacks according to Barracuda's data but are responsible for 66% of all breaches."

Let that sink in for a moment.

What exactly is spear phishing? Spear phishing is when a social engineering attacker uses personal or confidential information they have learned about a potential victim or organization in order to more readily fool the victim into performing a harmful action. Within that definition, spear phishing can be accomplished in thousands of different ways, ranging from basic attacks to more advanced, longer-range attacks.

[CONTINUED] at KnowBe4 blog:

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, June 7, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Executive Reports - Can create, tailor and deliver advanced executive-level reports
  • NEW! KnowBe4 Mobile Learner App - Users can now train anytime, anywhere!
  • NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
  • Did you know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 60,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, June 7, @ 2:00 PM (ET)

Save My Spot!

[Mastering Minds] China's Cognitive Warfare Ambitions Are Social Engineering at Scale

As the world continues to evolve, so does the nature of warfare. China's People's Liberation Army (PLA) is increasingly focused on "Cognitive Warfare," a term referring to artificial intelligence (AI)-enabled military systems and operational concepts. The PLA's exploration into this new domain of warfare could potentially change the dynamics of global conflict.

The PLA's interest in "cognitive warfare" is particularly intriguing. Cognitive warfare refers to operations that leverage techniques and technologies such as AI to influence the minds of adversaries, shape their decisions, and create a strategically favorable environment. This approach could potentially allow China to achieve victory without resorting to conventional weapons. We're talking social engineering at a potentially massive scale.

The PLA's exploration into cognitive warfare is part of China's broader commitment to AI and other cutting-edge technologies, as emphasized by President Xi Jinping. China aims to become the world's leading AI power by 2030, and it is integrating AI into three common areas: information processing, unmanned weapons and decision-making.

However, China is taking it a step further by exploring the use of AI in cognitive warfare. This involves influencing the thinking of decision-makers, military commanders, and the general public in rival countries. For instance, Beijing could use social media and other means to spread disinformation, manipulate public opinion and discredit U.S. efforts to support Taiwan.

To achieve this, China would need to develop the necessary cyber, psychological and social engineering capabilities. It would also need to amass a great deal of detailed personal information. There are concerns that China has already collected a massive amount of data on government officials and ordinary U.S. citizens, which could be used to influence perceptions.

The PLA is also focusing on using AI to influence the state of mind of its own troops. They are working on wearable technology and a "psychological support system" to better prepare soldiers for real combat situations. This includes smart sensor bracelets that can record facial information and judge psychological states in real time.

Whether or not China's "AI-driven warfare" succeeds, it is crucial to pay attention to social engineering at massive scale, as it has become increasingly feasible thanks to recent breakneck advances.

Blog post with links:

A Master Class on Cybersecurity: Roger A. Grimes Teaches Password Best Practices

What really makes a "strong" password? And why are you and your end-users continually tortured by them? How do hackers crack your passwords with ease? And what can/should you do to improve your organization's authentication methods?

Password complexity, length, and rotation requirements are the bane of IT departments' existence and are literally the cause of thousands of data breaches. But it doesn't have to be that way!

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, for this thought-provoking webinar where he'll share the most common risks associated with passwords and how to develop password policies that work.

You'll learn:

  • What you need to know about password length and complexity
  • How password attacks work and which ones you should be most worried about
  • What your password policy should be and why
  • Why your organization should be using a password manager

Start improving your password defenses now!

Date/Time: Wednesday, June 14 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!

AI Voice-Based Scams Rise as One-Third of Victims Can't Tell if the Voice is Real or Not

As audio deepfake technology continues to go mainstream as part of the evolution in AI-based tools, new data shows there are plenty of victims and they aren't prepared for such an attack.

Imagine you get a call from your child or grandchild telling you they're in some kind of trouble, an accident, etc. and need money. And it really does sound like them. Would you help?

Scammers who are making use of AI to synthesize sound-alike voices as part of vishing scam calls are hoping you will. And according to the new "Beware the Artificial Impostor" report from McAfee, recipients of such calls are falling victim.

Globally, 25% of respondents said either they personally have experienced a sound-alike AI voice-based scam call or knew someone personally that has. With online services like those of eleven labs, who will be offering Instant Voice Cloning to generate a synthesized voice from 30 minutes of audio samples, it's only a matter of time before threat actors start to leverage AI voice-based scams even more.

According to McAfee, nearly half (48%) of people would help if they received a call about a car accident, 47% for a call about being a theft victim, 43% for lost wallet, and 41% for needing help on a vacation.

The worst part of this is 35% of people couldn't tell if the voice was real or not, with another 35% having no idea whether they'd be able to tell. This means the only real context for determining if a call is a scam or not rests in the fact that the call itself is unexpected.

The application for this type of scam in the business world ranges anywhere from CEO gift card scams, to digital fraud and more – all requiring that users within the organization be continually enrolled in security awareness training so that they are ready and vigilant even when the voice on the other end of the phone sounds familiar.

Blog post with links:

[Free Phish Alert Button] Give Your Employees a Safe Way to Report Phishing Attacks with One Click!

Should they call the help desk, or forward it? Should they forward to IT including all headers? Delete and not report it, forfeiting a possible early warning?

KnowBe4's Phish Alert add-in button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click! And now, it supports Outlook Mobile!

Phish Alert Button Benefits:

  • Reinforces your organization's security culture
  • Users can report suspicious emails with just one click
  • Incident Response gets early phishing alerts from users, creating a network of "sensors"
  • Email is deleted from the user's inbox to prevent future exposure
  • Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)

Get the no-charge Phish Alert Button now:

Be a Certified Security Awareness and Culture Professional (SACP)™

All, I thought it was necessary to have an independent, vendor-neutral certification so we would have a real Certified Security Awareness and Culture Professional (SACP)™. I funded the effort after finding the great team at H Layer Credentialing. This is not something we make money on. This was meant for the community. Here is a short description and a link:

Your organization's cyber threat landscape is changing lightning fast. So, your security awareness skills need to stay razor sharp, and are increasingly viewed as critical to protect your organization from human error.

You can now be a leader in the security awareness and culture profession. Earn H Layer's Security Awareness and Culture Professional (SACP)™ credential and demonstrate your competency to design and lead security awareness programs that build a sustained security-awareness culture.

Your Security Awareness and Culture Professional (SACP)™ credential is the only independent, vendor-neutral certification designed specifically for the newest in-demand job roles in security awareness.

Learn more about the SACP Exam. Check out the requirements. Don't wait. Apply today and become one of the first 1,000 professionals to earn your SACP Cert.

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [BUDGET AMMO] Hacking Humans: How Social Engineering Works:

Quotes of the Week  
"I never lose. I either win or learn."
- Nelson Mandela (1918 - 2013)

"An investment in knowledge pays the best interest."
- Benjamin Franklin (1706 - 1790)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

'Magic Link' Phishing Attacks Scamming Users With Fake McAfee Renewals

Threat actors are using encoded phishing links to evade security filters, according to Jeremy Fuchs at Avanan. The phishing emails purport to be notifications from McAfee informing the user that they need to renew their subscription.

"This is a fairly standard McAfee subscription scam," Fuchs says. "We see these all the time and they've been floating around the Internet for some time. But that's not what makes this attack unique. What makes it unique is what's hiding under the Renew Membership button. It's linked to the following IP address: 0xd.0125.0x50.0236."

This IP address is encoded and will transform into a normal format when the link is clicked, taking the user to a phishing page.

"What's happening is that attackers are hiding the intent of the target page," Fuchs writes. "Because URL filters are unable to determine the intent of an obfuscated page, the malicious email can reach the inbox. The idea is to blind anti-phishing scanners so that they can't see the danger. This allows the end goal, in this case, malicious sites, to more easily make the inbox. And since users can't see the obfuscation, they are more likely to click."

Despite the clever use of an obfuscated link, a trained user would be able to recognize the scam before clicking on the link.

"This email is probably not the hackers' strongest offering–the McAfee renewal scam has been around forever," Fuchs says. "The sender address isn't legitimate. The reply-to address is different from the sender address. The link—both the seen version and the magic version—aren't typical links, they are just IP addresses. So there are many things that would tip off an eagle-eyed end-user."

New-school security awareness training can teach your employees how to recognize social engineering attacks, even with obfuscated IP addresses.

Blog post with links:

Tricks of the Trade: How a Cybercrime Ring Operated a Multi‑Level Fraud Scheme

Researchers at ESET offer a useful summary of the techniques used by a Nigerian organized crime group to launch scams. The crooks used both untargeted and spear phishing emails to hack into thousands of email accounts.

"Generally, the most common variety of phishing involves sending out emails that pose as official messages that have a sense of urgency and come from reputable institutions such as banks, email providers, and employers," ESET says.

"Using false pretenses and evoking a sense of urgency, these communications attempt to dupe users into handing over their money, login credentials, credit card information, or other valuable data."

The scammers also launched brute-force attacks to gain access to accounts with simple passwords. "Another technique to break into one's account is simply overcoming a weak password – think a password that is either too short or made up too simple a set of characters and scammers can easily crack it with the help of automated tools, i.e. 'brute-force' it," the researchers write.

"For example, if your password is eight characters long and consists only of lower-case characters, an automated tool can guess it in a couple of seconds. A password that is complex but is made up of only six characters can be cracked just as quickly."

After gaining access to corporate email accounts, the attackers would use the accounts to launch business email compromise attacks via spear phishing emails. "While regular phishing attacks involve casting the net wide and target unknown victims, spear phishing takes aim at a specific person or group of people," ESET says.

"Bad actors study every piece of information available about a targeted person online and tailor their emails accordingly. This obviously makes such emails harder to recognize, but there are some obvious giveaways. For example, these messages often come out of the blue, evoke a sense of urgency or use other pressure tactics, and contain attachments or (shortened) URLs leading to dubious sites."

New-school security awareness training enables your employees to thwart these types of social engineering attacks.

ESET has the story:

What KnowBe4 Customers Say

"Hi Stu, Thank you for reaching out. We are very pleased with the training and phishing service we are receiving from KnowBe4. It's given us insight into our users that we wouldn't have had otherwise. Thank you for making it a great product!"

- S.J. IT Manager, North America

"I have recently been dealing with Armin while scoping and obtaining cyber training programs and testing for us. Armin took me through the KnowBe4 training packages and helped get a contract sorted out between KnowBe4 and us.

I just wanted to let you always know that Armin was the consummate pro and was extremely patient with me given ICT is not my area of expertise. While we had a couple of issues to deal with, Armin was persistent and patient and always kept me up to date, and followed up when he said he would.

I appreciate everything Armin did to get the contract across the line. Armin portrayed KnowBe4 in a very professional light and looks to be a real asset to your team. Thought I would just acknowledge great work when I see it."

- D.G., Director Corporate Services

The 10 Interesting News Items This Week
  1. New Russian-Linked Malware Poses 'Immediate Threat' to Energy Grids:

  2. Deepfaking it: America's 2024 election collides with AI boom:

  3. [NSFW] AI Deepfakes of True-Crime Victims Are a Waking Nightmare:

  4. Phishing ring behind latest fake fee scam targeting UAE:

  5. Cyber insurance more popular than ever despite rising costs, ransomware threat:

  6. Dark Pink hackers continue to spear-phish govt and military orgs:

  7. The FBI's cyber Most Wanted black hat says new designation won't affect his work:

  8. Japan Goes All In: Copyright Doesn't Apply To AI Training:

  9. Russia accuses U.S. of hacking thousands of Apple devices to spy on diplomats:

  10. WIRED: "Molly White Tracks Crypto Scams, recently it ticked over $12 Billion.":

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews