CyberheistNews Vol 13 #30 | July 25th, 2023
[IN MEMORIAM] Kevin David Mitnick (Aug 6, 1963 - July 16, 2023)
The only constant is change. That is true for physics, for organizations, and for us humans. People join and leave teams, and of course also join and leave life. But it's always a shock when someone falls away too early.
As some of you knew, Kevin had been battling stage 4 pancreatic cancer for over a year now. So, this doesn't come as a complete surprise, but we kept this mostly confidential at his request.
Kevin was never one to shy away from major problems, and he treated his cancer diagnosis the same. He fought like hell, approached it like "Hacking Cancer" and survived much longer than initially expected. It was that same fighting spirit and extreme persistence that really defined the man that Kevin was from the beginning.
He became a dear friend of mine (and to many here) and was instrumental to the growth of KnowBe4.
He was referred to as "the world's most famous hacker," but he was REALLY the most famous "social engineer" of our time. Kevin inspired KnowBe4's training curriculum from the moment he agreed to be our "Chief Hacking Officer" and was critical in elevating KnowBe4's brand awareness in the industry.
His extensive experience with social engineering is forever woven into KnowBe4's DNA.
Rest in peace, Kev, we will always love and miss you.
Stu
Blog post with a link to his obituary:
https://blog.knowbe4.com/kevin-david-mitnick-aug-6-1963-july-16-2023
Here we are doing an interview and demo at the NYSE, fast forward to about 4:30 (ends at about 8:56) and Kevin tells a favorite story:
https://www.youtube.com/watch?v=iFGve5MUUnE
[New PhishER Feature] Immediately Add User-Reported Email Threats to Your M365 Blocklist
Now there's a super easy way to keep malicious emails away from all your users through the power of the KnowBe4 PhishER platform!
The new PhishER Blocklist feature lets you use reported messages to prevent future malicious email with the same sender, URL or attachment from reaching other users. Now you can create a unique list of blocklist entries and dramatically improve your Microsoft 365 email filters without ever leaving the PhishER console.
Join us TOMORROW, Wednesday, July 26, @ 2:00 PM (ET) for a live 30-minute live demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software. With PhishER you can:
- NEW! Immediately add user-reported email threats to your Microsoft 365 blocklist from your PhishER console
- Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
- Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
- Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
- Easily integrate with KnowBe4's email add-in, the Phish Alert Button, or forward to a mailbox
Find out how adding PhishER can be a huge time-saver for your Incident Response team!
Date/Time: TOMORROW, Wednesday, July 26, @ 2:00 PM (ET)
Save My Spot!
https://info.knowbe4.com/phisher-demo-july-2023?partnerref=CHN2
[HEADS UP] See WormGPT, the New 'Ethics-Free' Cyber Crime Attack Tool
A new generative AI model called "WormGPT" is being offered on cybercrime forums, according to researchers at SlashNext. While other AI tools, such as ChatGPT, have safeguards in place that attempt to curb malicious use, WormGPT is specifically designed to generate malicious output to support malware development and social engineering attacks.
"We conducted tests focusing on BEC attacks to comprehensively assess the potential dangers associated with WormGPT," the researchers write. "In one experiment, we instructed WormGPT to generate an email intended to pressure an unsuspecting account manager into paying a fraudulent invoice.
"The results were unsettling. WormGPT produced an email that was not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks. In summary, it's similar to ChatGPT but has no ethical boundaries or limitations. This experiment underscores the significant threat posed by generative AI technologies like WormGPT, even in the hands of novice cybercriminals."
WormGPT offers the following benefits for criminals conducting phishing attacks:
- Exceptional Grammar: Generative AI can create emails with impeccable grammar, making them seem legitimate and reducing the likelihood of being flagged as suspicious.
- Lowered Entry Threshold: The use of generative AI enables the execution of sophisticated BEC attacks. Even attackers with limited skills can use this technology, making it an accessible tool for a broader spectrum of cybercriminals.
Organizations should use a combination of technical defenses and employee training to defend themselves against these attacks. "Companies should develop extensive, regularly updated training programs aimed at countering BEC attacks, especially those enhanced by AI," SlashNext says.
"Such programs should educate employees on the nature of BEC threats, how AI is used to augment them, and the tactics employed by attackers. This training should also be incorporated as a continuous aspect of employee professional development."
New-school security awareness training enables your employees to make smarter security decisions.
Blog post with links and an example:
blog.knowbe4.com/wormgpt-an-ethics-free-cyber-crime-text-generator
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, August 2, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at FOUR NEW FEATURES and see how easy it is to train and phish your users.
- NEW! June 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
- NEW! Executive Reports - Create, tailor and deliver advanced executive-level reports
- NEW! KnowBe4 Mobile Learner App - Users can now train anytime, anywhere!
- NEW! Use PasswordIQ to find which users are sharing passwords and which ones have weak passwords
- See the fully automated user provisioning and onboarding
Find out how 60,000+ organizations have mobilized their end-users as their human firewall.
Date/Time: Wednesday, August 2, @ 2:00 PM (ET)
Save My Spot!
https://info.knowbe4.com/kmsat-demo-august-2023?partnerref=CHN
Threat Actors Add '.Zip' Domains to Phishbait
Cybercriminals are exploiting the introduction of ".ZIP" as a new generic Top-Level Domain (gTLD) to launch phishing attacks, according to researchers at Fortinet.
"Cybercriminals are always on the lookout for new opportunities and techniques to exploit, and the recent availability of '.ZIP' domains for public purchase has unfortunately created such an opportunity," the researchers write. "While the pool of new gTLDs has made phishing detection more difficult, adding .ZIP is especially noteworthy given its more common use as a file extension for compressed files."
This new domain extension will likely create confusion, especially among non-technical users, giving phishers a new and potentially effective tool to add to their attack arsenals. In phishing campaigns, a common tactic is to make malicious websites appear as legitimate as possible.
"Using a .ZIP domain can add an air of authenticity to a fraudulent site. A user may mistake the .ZIP in the URL for a file extension, believing they are downloading a file rather than visiting a malicious website." The researchers outline the following tactics to help defend against these attacks:
[CONTINUED] at the KnowBe4 blog with links:
https://blog.knowbe4.com/dot-zip-domains-phishbait
Save $200 on Your Security Awareness and Culture Professional (SACP) Certification
H Layer Credentialing is launching an updated exam form with new content, and they need YOUR help! They are looking for professionals interested in earning their SACP Certification to complete the exam between August 14th and September 30th. This will allow them to perform statistical analyses and finalize scoring on the updated exam form.
To assist with this pilot study, they are offering a significant registration discount for those who complete the exam within the specified time frame. Register now using the following coupon code to save $200. You must complete the exam between August 14th and September 30th.
If you take the exam during this time, you will not receive instant scores at the testing center. Final scores will be withheld for approximately eight weeks while scoring levels are evaluated.
$200 Discount
Use the following code during checkout to save $200 on the SACP Certification Exam: SACPformAug23
Apply today to earn your SACP Certification...and save BIG!
https://portal.thehlayer.com/product/certification-exam/
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: [BUDGET AMMO] Five scary deepfake scenarios that can endanger your business:
https://www.fastcompany.com/90923468/five-scary-deepfake-scenarios-that-can-endanger-your-business
PPS: [TARGET: YOU] Github Security alert: social engineering campaign targets technology industry employees:
https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/
- Heraclitus (540 - 480 BC)
- Miyamoto Musashi - Samurai and Philosopher (1584 - 1645)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-30-in-memoriam-kevin-david-mitnick-aug-6-1963-july-16-2023
Microsoft Was the Most Impersonated Brand in Q2, 2023
Microsoft was the most impersonated brand in phishing attacks during Q2, 2023, according to Check Point's latest Brand Phishing Report.
"Last quarter global technology company Microsoft climbed up the rankings, moving from third place in Q1 2023 to top spot in Q2," the researchers write. "The tech giant accounted for 29% of all brand phishing attempts. This may be partially explained by a phishing campaign that saw hackers targeting account holders with fraudulent messaging regarding unusual activity on their account.
"Our report ranked Google in second place, accounting for 19% of all attempts and Apple in third, featuring in 5% of all phishing events during the last quarter. In terms of industry, the technology sector was the most impersonated, followed by banking and social media networks."
Check Point describes a recent phishing campaign that attempted to steal users' Microsoft login credentials. "In the second quarter of 2023, a phishing campaign targeted Microsoft account holders by sending fraudulent messages regarding unusual sign-in activity," the researchers write.
"The campaign involved deceptive emails which were sent allegedly from inside the company with sender names such as "Microsoft on [company domain]". The subject line of these phishing emails was "RE: Microsoft account unusual sign-in activity" and they claimed to have detected unusual sign-in activity on the recipient's Microsoft account.
"The emails provided details of the alleged sign-in, such as the country/region, IP address, date, platform, and browser. To address this supposed security concern, the phishing emails urged recipients to review their recent activity by clicking on a provided link which leads to malicious websites unrelated to Microsoft."
Another phishing campaign impersonated Wells Fargo in order to steal bank account information. The phishing emails "had the subject line 'Verification Required' and aimed to trick recipients into providing their account information by claiming that certain details were missing or incorrect."
New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for phishing and other social engineering attacks.
Blog post with links:
https://blog.knowbe4.com/microsoft-most-impersonated-brand-q2-2023
Training Helps Critical Infrastructure Workers Spot Phishing Attacks
A new report from Hoxhunt has found that workers in critical infrastructure sectors are better at identifying phishing attacks than employees in other industries.
"Phishing simulation success rates, the act of reporting a simulation and not skipping or failing it, in critical infrastructure is 61 percent higher than the global average after 12 months," the researchers found. "In addition, resilience ratios, success rate versus failure rate, is 51 percent higher in critical infrastructure - 10.9 for critical infrastructure compared to the 7.2 global industry average."
Two-thirds of critical infrastructure workers thwarted a real phishing attack within a year of beginning security training.
"The report revealed that 66 percent of active participants in security behavior training programs at critical infrastructure organizations detect and report at least one real malicious email attack within a year of commencing training," Hoxhunt says.
"Resilience velocity, the speed at which an organization reaches its highest level of actual threat detection behavior, is also 20 percent higher in the critical infrastructure sector, with organizational threat detection rates reaching high points at 10 months, compared to the 12-month average in most other industries."
However, the researchers also determined that workers in this sector are more likely to be tricked by phony internal messages.
"The report also reveals that critical infrastructure employees are most likely to fall victim to spoofed internal organizational communications," the researchers write. "While this is the most effective type of phishing attack across most sectors, Hoxhunt's study found that these types of attacks induce an 11.4 percent higher failure rate in the critical infrastructure sector compared to global averages."
Mika Aalto, CEO and co-founder of Hoxhunt, stated, "Over the past several years, attacks on critical infrastructure have become all too common, leaving fuel pumps and store shelves empty. In response, critical infrastructure organizations and their employees are exponentially more aware and cautious of malicious activity."
New-school security awareness training can give your organization an essential layer of defense by enabling your employees to thwart social engineering attacks.
Hoxhunt has the story:
https://www.hoxhunt.com/blog/human-cyber-risk-critical-infrastructure
What KnowBe4 Customers Say
"Yes, we can say we are a happy camper here. The entire KnowBe4 process, from Demo to Sale & Purchase and Implementation and Configuration of the program was great and as easy as it can be for us. You have a great team over there and we worked great with every single one of them at all levels.
As a Founder and CEO of KnowBe4, you probably are aware that these days, for most IT professionals, it's not all about the product and how much it costs, it's about the after sales support and service that you are receiving.
Also, I would like to give a shout-out to Lexie N., our Customer Success Manager - extremely knowledgeable and flexible every single time we needed. Without Lexie's guidance and help, we would probably not benefit from everything the KnowBe4 platform has to offer.
Stu, thank you for touching base with me and thank you once again Lexie for your outstanding support!"
- P.C., IT Support Technician
- U.S. Ambassador to China Hacked in China-Linked Spying Operation:
https://www.wsj.com/articles/u-s-ambassador-to-china-hacked-in-china-linked-spying-operation-f03de3e4 - Microsoft to Offer Some Cybersecurity Tools Free After Suspected China Hack:
https://www.wsj.com/articles/microsoft-to-offer-some-cybersecurity-tools-free-after-suspected-china-hack-6db94221 - Russian State-sponsored Gamaredon hackers start stealing data 30 minutes after a breach:
https://www.bleepingcomputer.com/news/security/gamaredon-hackers-start-stealing-data-30-minutes-after-a-breach/ - CISA orders govt agencies to mitigate Windows and Office zero-days used by RomCom in NATO Phishing:
https://www.bleepingcomputer.com/news/security/cisa-orders-govt-agencies-to-mitigate-windows-and-office-zero-days/ - How Hackers Can Hijack a Satellite:
https://www.darkreading.com/edge/how-researchers-hijacked-a-satellite - Head of MI6 warns that China is setting 'data traps' for partners:
https://therecord.media/china-data-traps-espionage-mi6-richard-moore? - Microsoft Strengthens Cloud Logging Against Nation-State Threats:
https://www.infosecurity-magazine.com/news/microsoft-enhances-cloud-logging/ - Renewable technologies add risk to the U.S. electric grid, experts warn:
https://cyberscoop.com/electric-grid-inverter-cyber/ - CISA shares free tools to help secure data in the cloud:
https://www.bleepingcomputer.com/news/security/cisa-shares-free-tools-to-help-secure-data-in-the-cloud/ - [FUN DEPT] Practice Your Security Prompting Skills with Gandalf, an interactive LLM game:
https://www.schneier.com/blog/archives/2023/07/practice-your-security-prompting-skills.html
- Virtual Drone Vaca #1 to Greenland called "Ice Waltz." Totally gorgeous HD shots:
https://www.youtube.com/watch?v=mwG8G4F1wPU - Virtual Vaca #2 to Amazing Places in Egypt:
https://youtu.be/BwNyfylA7do - SUPER FAVE! The Insane Engineering Behind MSG Sphere Las Vegas:
https://www.youtube.com/watch?v=lzxTI8GYLYE - [FUN DEPT] Hacking the Las Vegas MSG Sphere: Is It Possible?
https://www.makeuseof.com/hacking-las-vegas-msg-sphere-possible/ - Top 10 fastest cars at Festival of Speed 2023:
https://www.youtube.com/watch?v=yoUfL1E5RHs - Canada's $30BN Gamble to Become An Energy Superpower:
https://www.youtube.com/watch?v=c4zUnACRrQU - LockPicking Lawyer Picks a Lexus RX300 Door Lock:
https://www.youtube.com/watch?v=vLy65ASXuEQ - I would still like to see this SpaceX Intercontinental Transport System in reality!
https://www.flixxy.com/spacex-intercontinental-transport-system.htm?utm_source=4 - F1 Inspired Hot Hatch Concept - Alpine A290_β:
https://www.youtube.com/watch?v=2NAJ6iddb_0 - Prepare to be awe-inspired by the legendary Ricky Jay as he showcases his unparalleled mastery over a deck of cards:
https://www.flixxy.com/ricky-jays-masterful-card-control-a-captivating-display-of-magic.htm?utm_source=4 - Wingsuit Flight. Marmolada South Face, The Queen Of The Dolomites:
https://youtu.be/WSGHVI7lc9o - Oppenheimer's secret city, explained in 9 minutes:
https://www.youtube.com/watch?v=K7uvrd94mrg - Caspian Sea Monster - Not A Plane, Not A Ship:
https://www.flixxy.com/caspian-sea-monster-not-a-plane-not-a-ship.htm?utm_source=4 - For Da Kids #1 - Raven raised by human acts like dog:
https://youtu.be/iUIbg0skPdw - For Da Kids #2 - Kittens Are Attached Like Velcro to Their Dad:
https://www.youtube.com/watch?v=zBuEna1ls9s - For Da Kids #3 - Orphaned Hyena Loves To Wrestle With a Rescue Puppy:
https://www.youtube.com/watch?v=PrSZO_1wdjI - For Da Kids #4 - Black Panther Raised by a Lady Made Friendship With a Rottweiler:
https://www.youtube.com/watch?v=IDFePbrq3i0 - For Da Kids #5 - Dog Waits for Months for Mom To Come Home From the Hospital:
https://youtu.be/4yOwIvPDmJo