CyberheistNews Vol 13 #29 | July 18th, 2023
[Heads Up] Phishing Attacks Now Use QR Codes to Steal Your User Credentials
Using a new twist to bypass detection from security solutions, cyber attacks are now employing QR codes that your users will not recognize as anything suspicious.
Threat actors need some means of getting a user to engage with malicious content – whether an attachment, link, or phone call, there needs to be some content within an email that provides the victim user with their next step.
Right behind this are the security solutions that have employed scanning those attachments, following the links to their end, etc. in an attempt to provide the user and their organization with a first layer of defense to stop such attacks before they start.
A new phishing attack method spotted by security researchers at Inky includes the use of a QR code, prompting a victim user to take a picture of the image and navigate to the resulting impersonated login page.
It's insidious for a number of reasons, two of which are obvious immediately:
- I'm not aware of any security solution that can follow a QR code-based URL to determine if the resulting URL is malicious or not.
- It shifts the actual threat action to another device – specifically one that has far less protections than a user's endpoint.
But it's also awkward, because who takes a picture of a QR code to login to their email, etc. instead of just clicking a link? Despite this lack of reasoning as to why this should work, we see that this type of social engineering works anyway, otherwise the cybercriminals wouldn't be using this method.
This kind of attack highlights the fact that your users need to be continually educated through new-school security awareness training that anything out of the ordinary – especially something this wacky just to log onto a website – should be avoided.
Blog post with screenshot and links:
https://blog.knowbe4.com/phishing-attacks-qr-codes
New Phishing Benchmarks Unlocked: Is Your Organization Ahead of the Curve in 2023?
Cybercriminals continue to rely on proven attack methods while developing new ways to infiltrate digital environments and break through your human defense layer.
But how can you reduce your organization's attack surface? We looked at 12.5 million users across 35,681 organizations to find out.
In this webinar Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, and Joanna Huisman, KnowBe4's Senior Vice President of Strategic Insights and Research, review our 2023 Phishing By Industry Benchmarking Study findings and best practices.
You will learn more about:
- New phishing benchmark data for 19 industries
- Understanding who's at risk and what you can do about it
- How organizations radically lowered their Phish-prone™ Percentage
- Actionable tips to create your "human firewall"
- The value of new-school security awareness training
Do you know how your organization compares to your peers? Watch this webinar to find out and earn CPE credit for attending!
Date/Time: TOMORROW, Wednesday, July 19, @ 2:00 PM (ET)
Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.
Save My Spot!
https://info.knowbe4.com/pib-2023?partnerref=CHN3
Launch of New Meta Thread App Spawns Hundreds of Spoof Domains
Researchers at Veriti have observed hundreds of spoofed domains following Meta's launch of its Threads social media platform.
"In recent weeks, we have observed a surge in the creation of suspicious domains, with over 700 domains related to Threads being registered daily," they write. "These domains pose a significant risk as they can be used to deceive users, distribute malware, and lure unsuspecting individuals into downloading untrusted versions of the app."
Some of the domains are already being used to distribute malicious APKs that pose as the Threads app. Users should always be wary when downloading apps from third-party app stores.
Veriti offers the following advice to help users thwart these attacks:
- "Download from trusted sources: Only download the Threads app from official app stores, such as the Apple App Store or Google Play Store, to ensure you are accessing the genuine version.
- "Be cautious of suspicious links: Avoid clicking on links shared through unverified sources, emails, or unfamiliar websites, as they may lead to malicious websites or downloads.
- "Verify domain authenticity: Pay close attention to the domain name of any Threads-related websites you visit. Be wary of domains that have spelling variations or lookalikes designed to deceive users.
- "Keep software up to date: Regularly update your device's operating system and apps to ensure you have the latest security patches and protections against known vulnerabilities."
- "As the popularity of Meta's Threads app continues to rise, attackers are capitalizing on the excitement to carry out malicious activities," the researchers write. "By creating a large number of suspicious domains, they aim to deceive users and distribute malware. It is crucial for users to remain vigilant, download apps only from trusted sources, and be cautious of suspicious links."
Keep training those users. This blog post at the end has a free tool that you can use to find out what "evil twin" doppelganger domain names there are for your own site.
Blog post with links:
https://blog.knowbe4.com/threads-spoof-domains
[New PhishER Feature] Immediately Add User-Reported Email Threats to Your M365 Blocklist
Now there's a super easy way to keep malicious emails away from all your users through the power of the KnowBe4 PhishER platform!
The new PhishER Blocklist feature lets you use reported messages to prevent future malicious email with the same sender, URL or attachment from reaching other users. Now you can create a unique list of blocklist entries and dramatically improve your Microsoft 365 email filters without ever leaving the PhishER console.
Join us Wednesday, July 26, @ 2:00 PM (ET) for a live 30-minute live demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.
With PhishER you can:
- NEW! Immediately add user-reported email threats to your Microsoft 365 blocklist from your PhishER console
- Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
- Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
- Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
- Easily integrate with KnowBe4's email add-in, Phish Alert Button, or forward to a mailbox
Find out how adding PhishER can be a huge time-saver for your Incident Response team!
Date/Time: Wednesday, July 26, @ 2:00 PM (ET)
Save My Spot!
https://info.knowbe4.com/phisher-demo-july-2023?partnerref=CHN
Phishing Campaigns Are Now Targeting the Hospitality and Tourism Ponds
A phishing campaign is targeting the tourism and hospitality industries, according to researchers at Votiro.
"In this instance, the hacker booked a room at an international hotel and submitted a request for the hotel to get in touch with them immediately via WhatsApp about an urgent issue," the researchers write. "Once the hotel employee engaged the customer over WhatsApp, the hacker responded with their request. The WhatsApp message looked innocent enough (it even had a 'waving woman' emoji in it)."
The message stated, "Hello! I will come to visit you soon and would like to ask for your help. I have run into an allergy problem so I would be very grateful if you could review my list of allergies. The file won't open on the phone because it's in the zip folder.
"I'm on a train and I just can't open the file any other way. Thank you for your concern and willingness to help me. I really appreciate your time and efforts that you put in to make my stay at your place as comfortable as possible. Folder password: 1111."
The message had a malicious ZIP file designed to be opened on a computer. The file would install malware on the victim's machine.
"The malicious actors knew that the weaponized files would not open on an iPhone, and therefore lured their victims to open the weaponized file via WhatsApp Web, which is installed on many office workstations," the researchers write. "Unfortunately, the employee unknowingly clicked on the weaponized file, input the password, and opened it, potentially exposing the entire hotel network to the hacker's nefarious plans.
"Files of this nature can infect the hotel's computer systems and hold the data for ransom, shut down the security systems to enable a break-in, or lock the reservation system to cause revenue-based damage. As such, the risk was enormous."
New-school security awareness training helps your employees make smarter security decisions.
Blog post with links:
https://blog.knowbe4.com/phishing-hospitality-tourism
[Updated Free Tool] How Vulnerable Is Your Network Against Ransomware Attacks?
Bad actors are constantly coming out with new versions of ransomware strains to evade detection. Is your endpoint protection software effective in blocking ransomware when employees fall for social engineering attacks?
KnowBe4's Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing endpoint protection. RanSim will simulate 24 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable.
Here's how RanSim works:
- 100% harmless simulation of real ransomware and cryptomining infections
- Does not use any of your own files
- Tests 25 types of infection scenarios
- Just download the installer and run it
- Results in a few minutes!
This is complimentary and will take you five minutes max. RanSim may give you some insights about your endpoint security you never expected!
Get RanSim:
https://info.knowbe4.com/ransomware-simulator-tool-1chn
Two-Thirds of Ransomware Attacks Against Manufacturing Resulted in Encrypted Data
As the rate of ransomware attacks steadily increased over time, there are clear indicators as to how these attacks are starting and, therefore, what can be done to stop them.
With the exception of the Verizon Data Breach Investigations Report, we rarely get insight into specific industry verticals. So, it's refreshing to see a report focusing on a particular industry that can help provide some insight into the state of attack and security measures they can take to reduce the risk of becoming a victim.
In Sophos' The State of Ransomware in Manufacturing and Production 2023 report, we find that over half (56%) of manufacturing organizations have experienced a ransomware attack – some successful, some stopped before damage could be done.
The rate of such attacks has increased over time, with only 36% of manufacturing organizations experiencing attacks just two years ago. And, of those succumbing to an attack, 68% saw their data encrypted, and 73% used backups to restore the data.
The most interesting – and insightful – bit of detail from the report is the root causes of the attacks. According to the report, the number one root cause was compromised credentials – something usually accomplished by threat actors through social engineering attacks.
What's more interesting is that if you take four of the six root causes shown – phishing, malicious email, compromised credentials and download – you can conclude that email-based social engineering attacks remain a serious problem for manufacturing.
What's needed is to educate users through security awareness training about the various kinds of email-based attacks that can result in giving up credentials or unwittingly launching malware on their endpoint. If manufacturing can get a grasp on this problem, they'll significantly reduce the number of attempted ransomware attacks.
Blog post with links:
https://blog.knowbe4.com/ransomware-attacks-against-manufacturing
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: Going to BlackHat? Visit KnowBe4 at Booth 1820 to learn how to improve your organization's security culture and reduce human risk, plus get a custom hat made on site!
PPS: Tesla tweeted: "First Cybertruck built at Giga Texas!" I ordered mine years ago and want it already!
https://twitter.com/tesla/status/1680121747910148099?s=12&t=vSAPngidkSaQJtTdB6pOmw
- Theodore Roosevelt Jr., 26th President of the USA (1858 – 1919)
- Ella Fitzgerald - Singer (1917 - 1996)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-29-heads-up-phishing-attacks-now-use-qr-codes-to-steal-your-user-credentials
Job Recruitment Scams Rising Due to Social Engineering
Job scams are a rising form of socially engineered cybercrime. And while it's easy to imagine the trouble they cause individuals who innocently fall for them (lost opportunities, identity theft, financial loss, and so on) this form of fraud also affects businesses.
Suppose your employees are looking at the job market. They'll do that, whether they intend to leave or not, and they're especially likely to do so when they're working remotely, from home. Should job browsers be successfully compromised, they place their employer at risk of infection as well.
Security Intelligence explains, "Many job seekers look to sites such as Indeed, LinkedIn, ZipRecruiter, Flexjobs and Craigslist to find employment. Freelancers also look for work on sites like Upwork, Fiverr and Freelancer.com.
However, these platforms have no easy way to identify infiltrators posting fake job listings. Some job seekers might even receive a phishing email with a fake job offer that looks legitimate."
The article notes that companies which participate in the gig economy are particularly vulnerable from that quarter as well.
One of the threat actors making heavy use of job recruitment scams is UNC2970, a North Korean organization. Like other North Korean threat groups, it's state directed and mixes espionage with hacking-for-profit. The profit is also sought on behalf of the state, helping to redress the pariah state's chronic financial shortfalls. In the job recruitment scams, the phish hook is a backdoor that's subsequently used for a range of malicious post-exploitation activities.
Security Intelligence closes with some advice. "Looking for a new job is stressful, and threat groups have made it even more challenging. Now more than ever, it's critical to be aware of these threats. From the individual looking for gainful employment to enterprises assessing their risks, it's time to raise awareness about job recruitment scams."
Blog post with links:
https://blog.knowbe4.com/job-recruitment-scams-rising
Tailgating Through Physical Security Using Social Engineering Tactics
Researchers at Check Point outline various forms of tailgating attacks. These attacks can allow threat actors to bypass physical security measures via social engineering.
"Tailgating is a common form of social engineering attack," the researchers write. "Social engineering attacks use trickery, deception, or coercion to induce someone to take actions that are not in the best interests of themselves or the organization. A tailgating attack can use various methods to provide the attacker with access to the secure area.
"The attacker might trick an employee into thinking that they have legitimate access, follow them through an open door without their knowledge, or use bribery or other coercion to get them to open the door."
Threat actors can use the following methods to carry out tailgating attacks:
- "Lost/Forgotten ID: A tailgater may pretend to be an employee that has lost or forgotten their employee ID at home. They would then ask an employee entering the building to let them in as well, 'just this once.'
- "Delivery Driver: The issue with masquerading as an employee is that the legitimate employee might not let in anyone that they don't recognize. Another common pretext is to pretend to be a delivery driver carrying a load of packages.
- "Hands Full: Whether or not they're pretending to be a delivery driver, a tailgater may deliberately have their hands full when approaching the door to the secure area. People are more likely to hold the door for someone who looks like they are struggling.
- "Open Doors: An employee might prop a door open for some reason. A tailgating attacker can take advantage of this to gain access to the secure area.
- "Copied ID: If an attacker can steal a user's ID or device, they may be able to copy the credentials used to unlock the door to the secure area. This would allow the attacker to masquerade as a legitimate employee and gain access."
New-school security awareness training teaches your users to follow security best practices and avoid falling for social engineering attacks.
Blog post with links:
https://blog.knowbe4.com/tailgating-physical-security-social-engineering
What KnowBe4 Customers Say
"Hello Mr. Sjouwerman, I hope you are doing well. I'm writing this brief email to provide very positive feedback for Audria J. A while back I'd had a training session with her, and the whole experience was stellar. She was incredibly patient as I asked question after question, and her explanations reflected a truly comprehensive and very clear understanding of the platform, common objectives, and great ideas for how we could use the service to make our organization smarter and safer when it comes to training our users and prepping for threats.
She was cheerful and patient and polite and just tremendously helpful overall, truly a credit to your organization. I like to acknowledge when people go above and beyond, and that was certainly the case with Audria. Thanks for your time and good day!"
- S.R. CCNA, Director of Information Technology
"Good morning Stu, I am loving my KnowBe4 experience. Thus far, I could only wish my co-workers took phishing as seriously as they should. Holland F. and Destin C. our support people at Knowbe4, are a joy to work with and have made the total experience as easy and informative as possible.
Thank you for your concern, I look forward to working with your company for years to come. I hope you have a great day!"
- B.N., IT Support Specialist
- Russian state hackers lure Western diplomats with BMW car ads:
https://www.bleepingcomputer.com/news/security/russian-state-hackers-lure-western-diplomats-with-bmw-car-ads/ - OODA loop: "Deep Fakes and National Security":
https://www.oodaloop.com/archive/2023/07/11/deep-fakes-and-national-security/ - "RomCom" hackers target NATO Summit attendees in phishing attacks:
https://www.bleepingcomputer.com/news/security/romcom-hackers-target-nato-summit-attendees-in-phishing-attacks/ - Banking Firms Under Attack by Sophisticated 'Toitoin' Phishing Campaign:
https://www.darkreading.com/remote-workforce/banking-firms-attack-toitoin-cyber-campaign - U.S. Govt offers $10 Million Bounty on Info About Cl0p Ransomware Gang:
https://cybersecuritynews.com/clop-ransomware-gang-bounty/ - Microsoft blocks attack on State Department email accounts by Chinese APT group:
https://www.scmagazine.com/news/cloud-security/microsoft-blocks-attack-on-cloud-email-accounts-by-chinese-apt-group - British prosecutors say teen Lapsus$ member was behind hacks on Uber, Rockstar:
https://therecord.media/british-prosecutors-accuse-teen-lapsus-member-of-uber-revolut-rockstar-hacks - USB drive malware attacks spiking again in first half of 2023:
https://www.bleepingcomputer.com/news/security/usb-drive-malware-attacks-spiking-again-in-first-half-of-2023/ - New White House cyber implementation plan looks to ramp up resilience:
https://www.nextgov.com/cybersecurity/2023/07/new-white-house-cyber-implementation-plan-looks-ramp-resilience/388450/ - A Whopping total of $30 billion(!) lost in blockchain hacks; security concerns rise:
https://ambcrypto.com/30-billion-lost-in-blockchain-hacks-security-concerns-rise/
- Your Virtual Vaca to Breathtaking landscapes in 12K(!) HDR 60FPS Dolby Vision. WHOA!:
https://www.youtube.com/watch?v=IKC_62RYzVo - Prepare for an adrenaline-pumping ride with People Are Awesome's curated collection of the top 50 videos from the first half of 2023:
https://www.flixxy.com/people-are-awesome-top-50-of-the-year-so-far.htm?utm_source=4 - Kelsey Cook hustles drunk dudes on the Vegas Strip. Classic Social engineering!:
https://www.instagram.com/reel/CsjRHjsA-fr/?igshid=YTUzYTFiZDMwYg== - Oppenheimer Movie - Pushing The Button Featurette. Worth seven minutes of your time:
https://www.youtube.com/watch?v=Y9EiLF7l8ug - Super nice Sydney 2023 Drone Show "Written in the Stars". Lovely new art form:
https://www.youtube.com/watch?v=tjt4vBog9QU - New Lancia Concept has Interior of the Future:
https://youtu.be/jau4iv51WUY - I thought this rotating house was impossible, especially the plumbing. Super engineering!:
https://www.youtube.com/watch?v=gisdyTBMNyQ - The Ultimate Zombie Apocalypse Cybertruck! I want one:
https://www.youtube.com/watch?v=S7PUJKE1t_Y - Boarding the Biggest Cruise Ship in the World (Icon of the Seas):
https://www.youtube.com/watch?v=3vfxbnV3KFM - LockpickingLawyer destroys a "Paracentric Keyway" Padlock That Doesn't Matter:
https://youtu.be/Kx0U2rNKnUo - Early Release: 82nd Airborne Chorus performs "My Girl" by The Temptations:
https://www.youtube.com/watch?v=FRqXKRvEszI - Hilarious Meticulous Cats. Prepare to be entertained as we unveil the hidden world of meticulous cats:
https://www.flixxy.com/hilarious-meticulous-cats.htm?utm_source=4 - A Wingsuit Flight from Monte Castelnovo in Italy:
https://www.youtube.com/watch?v=8dBiBhSOX34 - For Da Kids #1 - Little Girl And Her Golden Retriever Big Brother Have The Sweetest Relationship:
https://www.youtube.com/watch?v=585jdTwdZrw - For Da Kids #2 - Shy Rescue Donkey Turns Into A MONSTER!:
https://www.youtube.com/watch?v=Penl7BpYg4w - For Da Kids #3 - Goofy dog is unintentionally hilarious:
https://www.youtube.com/watch?v=C2FjqwOzwuQ - For Da Kids #4 - Swan Family Has Been Visiting This Man For 6 Years To Show Their Babies:
https://youtu.be/8Fqw0APy-Kg - For Da Kids #5 - Woman Saves Dumped Pet Bunny From The Train Tracks:
https://youtu.be/3ZejVtwl_eI