CyberheistNews Vol 13 #31 [Beware of the Barbie Scams] What You Need to Know After the Recent Movie Release

Cyberheist News

CyberheistNews Vol 13 #31  |   August 1st, 2023

[Beware of the Barbie Scams] What You Need to Know After the Recent Movie ReleaseStu Sjouwerman SACP

Scammers are taking advantage of the popularity of the Barbie movie, according to researchers at McAfee.

"In the last 3 weeks, we've seen 100 new instances of malware that have Barbie-related filenames," the researchers write. "Once again, this shows how attackers have latched onto the movie's hype, hoping the people will click the malicious files because the Barbie name is trending.

"The types of files varied but included typical types such as .html and .exe. By and large, attackers focused on the U.S., yet other countries have found themselves targeted as well."

Steve Grobman, McAfee's Chief Technology Officer, notes that criminals often exploit popular topics to distribute scams: "As Barbie makes her debut on the big screen, scammers are aiming to cash in on the summer blockbuster. A rash of scams have cropped up online, including bogus downloads of the film that install malware, Barbie-related viruses, and fake videos that point people to free tickets—but lead to links that steal personal info with spyware instead.

"Cybercriminals are always on the lookout for opportunities to make phishing and other scams more attractive and believable. They often leverage popular and well-publicized events such as movie premieres, concerts, or sporting events to trick users into clicking on malicious links."

McAfee offers several recommendations to help users avoid falling for these scams:

[CONTINUED] Blog post with links and a Barbie phishing test template. Warn your friends and family:

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, August 2, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at FOUR NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! June 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • NEW! Executive Reports - Create, tailor and deliver advanced executive-level reports
  • NEW! KnowBe4 Mobile Learner App - Users can now train anytime, anywhere!
  • NEW! Use PasswordIQ to find which users are sharing passwords and which ones have weak passwords
  • See the fully automated user provisioning and onboarding

Find out how 60,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, August 2, @ 2:00 PM (ET)

Save My Spot!

FBI Warns of Increased Tech Support Scams Using Snail Mail

The U.S. Federal Bureau of Investigation (FBI) has warned of an increase in tech support scams that attempt to trick users into sending cash via snail mail.

"Tech support scammers usually initiate contact with older adult victims through a phone call, text, email, or pop-up window purporting to be support from a legitimate company," the FBI says. "The scammer informs the victim of fraudulent activity or potential refund for a subscription service.

"Subsequent emails, pop-ups, and texts contain a phone number for the victim to call for assistance. Once the victim calls the number, a scammer tells the victim they have a refund for the victim, however, the only way the money can be sent is by connecting to the victim's computer and depositing it into the victim's bank account."

The scammer then tricks the victim into downloading a remote access tool onto their computer. "The scammer tells the victim they can assist with the refund and convinces the victim to download a software program allowing the scammer remote access to the victim's computer," the Bureau says.

"Once a connection is established, the victim is convinced to log on to their bank account. The scammer then supposedly transfers an amount to the victim's bank account but 'accidentally' deposits a much larger amount than intended. The scammer points this 'error' out and tells the victim to return the extra money or the scammer will lose their job."

After playing on the victim's emotions, the scammer convinces the victim to send the extra money back in cash.

"The scammer instructs the victim to send the money in cash, wrapped in a magazine(s), or similar method of concealment, via a shipping company to a name and address provided by the scammer," the Bureau says. "Most recently, scammers have instructed victims to ship packages containing money to pharmacies and retail businesses that are equipped to receive shipping company packages."

The FBI gives the following recommendations to help users avoid falling for these scams:

  • "Never download software at the request of an unknown individual who contacted you.
  • "Never allow an unknown individual who contacted you to have control of your computer.
  • "Do not click on unsolicited pop-ups, links sent via text messages, or email links or attachments. Do not contact the telephone number provided in a pop-up, text, or email.
  • "Never send cash via mail or shipping companies."

New-school security awareness training enables your employees to recognize social engineering attacks.

Blog post with links:

The Dark Side of AI: Unmasking its Threats and Navigating the Shadows of Cybersecurity in the Digital Age

Artificial Intelligence (AI) has come roaring to the forefront of today's technology landscape. It has revolutionized industries and will modernize careers, bringing numerous benefits and advancements to our daily lives. However, it is crucial to recognize that AI also introduces unseen impacts that must be understood and addressed for your employees and your organization as a whole.

Join James McQuiggan, Security Awareness Advocate at KnowBe4, for this thought-provoking webinar where he'll discuss the unforeseen threats of AI and how to protect your network.

During this webinar, you'll:

  • Gain insights into the risks associated with AI and their implications for critical domains
  • Understand the dangers of prompt injection attacks and their impact on data integrity
  • Discover ways to combat the spread of conspiracy theories and misinformation generated by AI
  • Learn how training your users to recognize malicious technology is the best, last line of defense

Do you want to get on the bright side of AI? Watch this webinar to learn how and earn CPE credit for attending!

Date/Time: Wednesday, August 9, @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!

SEC Implements New Rule Requiring Firms to Disclose Cybersecurity Breaches in 4 Days

What happened? The SEC (Securities and Exchange Commission) has introduced new rules that require public companies to be more transparent about their cybersecurity risks and any breaches they experience.

This means companies will need to regularly share information about how they are managing cybersecurity risks and any significant cybersecurity incidents they've had. If a company experiences a significant cybersecurity incident, they'll need to report it within four business days.

SEC Chair Gary Gensler said: "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them."

Why is this important? This new rule is likely to make cybersecurity a higher priority for companies. It could lead to increased investment in cybersecurity measures, as companies will want to avoid the potential negative publicity and financial implications of a breach.

This is particularly relevant for C-level execs in not only public companies. The new rules are likely to be particularly beneficial for companies in the cybersecurity and compliance fields, which are likely to see increased focus and budget allocation due to these new rules.

What do people think? There are quite a few opinions about this new rule. They vary markedly depending on who you ask. InfoSec professionals are looking at this from another lens and are not particularly impressed. I recommend forwarding this blog post with a link to the relevant WSJ article to your C-level execs as budget ammo.

Blog post with links:

Do Users Put Your Organization at Risk With Browser-saved Passwords?

Cybercriminals are always looking for easy ways to hack into your network and steal your users' credentials.

Verizon's Data Breach Investigations Report shows that attackers are increasingly successful using a combo of phishing and malware to steal user credentials. In fact, password dumpers, which allow cybercriminals to find and "dump" passwords your users save in web browsers, took the top spot for malware in the Verizon report.

Find out now if browser-saved passwords are putting your organization at risk.

KnowBe4's Browser Password Inspector (BPI) is a complimentary IT security tool that allows you to analyze your organization's risk associated with weak, reused and old passwords your users save in Chrome, Firefox and Edge web browsers.

BPI checks the passwords found in the browser against active user accounts in your Active Directory. It also uses publicly available password databases to identify weak password threats and reports on affected accounts so you can take action immediately.

With Browser Password Inspector you can:

  • Search and identify any of your users that have browser-saved passwords across multiple machines and whether the same passwords are being used
  • Quickly isolate password security vulnerabilities in the browser and easily identify weak or high-risk passwords being used to access your organization's key business systems
  • Better manage and strengthen your organization's password hygiene policies and security awareness training efforts

Get your results in a few minutes! They might make you feel like the first drop on a roller coaster!

Find Out Now:

Researchers Uncover Surprising Method to Hack the Guardrails of LLMs

Researchers from Carnegie Mellon University and the Center for A.I. Safety have discovered a new prompt injection method to override the guardrails of large language models (LLMs). These guardrails are safety measures designed to prevent AI from generating harmful content.

This discovery poses a significant risk to the deployment of LLMs in public facing applications, as it could potentially allow these models to be used for malicious purposes.

The researchers' attack method was effective on all chatbots tested, including OpenAI's ChatGPT, Google's Bard, Microsoft's Bing Chat, and Anthropic's Claude 2. There are implications for applications based on open-source LLMs, like Meta's LLaMA models.

The attack works by exploiting the AI model's weights, which determine the influence of each node in a neural network. The researchers developed a program that searches for suffixes that, when added to a prompt, can override the system's guardrails. These suffixes, appearing as random characters and nonsense words to humans, can trick the LLM into providing the response the attacker desires.

[CONTINUED] at the KnowBe4 Blog:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [BUDGET AMMO] How a layered security approach can prevent AI-based phishing:

PPS: Your KnowBe4 Fresh Content Updates from July 2023. Check out the 28 new pieces added and highlights, events and new features:

Quotes of the Week  
"Many of life's failures are people who did not realize how close they were to success when they gave up."
- Thomas Edison (1847 - 1931)

"When you are finished changing, you are finished."
- Benjamin Franklin (1706 - 1790)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Vendor Email Compromise: One Message, 5 Vendors

Researchers at Abnormal Security have observed a vendor email compromise (VEC) attack in which a threat actor compromised email accounts belonging to five critical infrastructure companies.

"We recently detected a series of attacks in which a single threat actor compromised five different vendor email accounts, and through those accounts, delivered email attacks to 15 individuals across five customer organizations," the researchers write.

"Even more concerning was that all of the target customer organizations were in the critical infrastructure space—including two healthcare companies, two logistics companies, and one manufacturing company. And unfortunately, these are only the numbers across Abnormal customer organizations, meaning that dozens more accounts could've been compromised by this single threat actor."

The threat actor used the accounts to send phony invoices to the vendors' clients. "Specifically, the attacker compromised vendor email accounts belonging to individuals in accounting and operations roles and sent emails attempting to redirect outstanding and future invoices to a new bank account," the researchers write.

"Each email included a PDF attachment that outlined the (fake) new payment policy and provided the updated bank account details. Nearly all of the emails sent by the compromised accounts used the same language and formatting, and although they featured grammatical errors, they also featured a number of characteristics that made them appear legitimate—enabling the emails to bypass traditional security defenses."

The researchers note that vendor impersonation attacks are often extremely convincing, since the victims are expecting to receive invoices. "VEC attacks are among the most successful social engineering attacks because they capitalize [on] the trusted relationships between customers and their vendors," the researchers write.

"You're much less likely to question an email from a supplier contact you regularly interact with, than one from an unknown identity. And because discussions with vendors often involve issues around invoices and payments, attacks that mimic these conversations can easily slip by unnoticed."

New-school security awareness training can enable your employees to thwart targeted social engineering attacks.

Abnormal Security has the story:

Facebook Scams Impersonate AI Tools

Fraudsters are spreading scams on Facebook that pose as ads for legitimate AI tools, according to researchers at Check Point. The Facebook pages impersonate ChatGPT, Google Bard, Midjourney, Jasper and more.

"Most of the campaigns using fake pages and malicious ads in Facebook eventually deliver some kind of information stealing malware," Check Point says. "In the past month, CPR and other security companies observed multiple campaigns that distribute malicious browser extensions aimed at stealing information.

"Their main target appears to be data associated with Facebook accounts and the theft of Facebook pages. It seems the cyber criminals are trying to abuse existing large audience pages, including advertising budgets, so even many pages with a large reach could be exploited in this way to spread the scam further."

The Facebook pages are often very convincing and have many followers, which adds to their credibility. "The threat actors behind certain malicious Facebook pages go to great lengths to ensure they appear authentic, bolstering the apparent social credibility," the researchers write.

"When an unsuspecting user searches for 'Midjourney AI' on Facebook and encounters a page with 1.2 million followers, they are likely to believe it is an authentic page. The same principle applies to other indicators of page legitimacy: when posts on the fake page have numerous likes and comments, it indicates that other users have already interacted positively with the content, reducing the likelihood of suspicion."

Check Point gives the following advice to help users avoid falling for phishing attacks:

  • "Ignore Display Names: Phishing sites or emails can be configured to show anything in the display name. Instead of looking at the display name, check the sender's email or web address to verify that it comes from a trusted and authentic source.
  • "Verify the Domain: Phishers will commonly use domains with minor misspellings or that seem plausible. For example, company[.com] may be replaced with cormpany[.com] or an email may be from company-service[.com]. Look for these misspellings, they are good indicators.
  • "Always download software from trusted sources: Facebook groups are not the source from which to download software to your computer. Go directly to a trusted source, use its official webpage. Do not click on downloads coming from groups, unofficial forums etc.
  • "Check the Links: URL phishing attacks are designed to trick recipients into clicking on a malicious link. Hover over the links within an email and see if they actually go where they claim. Enter suspicious links into a phishing verification tool like phishtank[.com], which will tell you if they are known phishing links. If possible, don't click on a link at all; visit the company's site directly and navigate to the indicated page."

New-school security awareness training can enable your employees to recognize these types of social engineering attacks.

Check Point has the story:

What KnowBe4 Customers Say

"Hi Stu, I hope this email finds you well. I wanted to express my utmost satisfaction with KnowBe4's training and phishing service. As a customer, I have experienced exceptional results, and I wanted to share my positive feedback.

Right from the start, KnowBe4 demonstrated a high level of professionalism and a genuine commitment to our team's cybersecurity needs. The training sessions provided were comprehensive, engaging, and tailored to our specific requirements.

The trainers were incredibly knowledgeable and skilled at delivering the content in an easily digestible manner. KnowBe4's phishing service has been a game changer for our organization's security efforts. The simulated phishing emails were realistic and eye-opening, revealing potential vulnerabilities within our team.

The detailed reports and analytics provided afterward were invaluable in identifying areas that required improvement and allowed us to take immediate action. I would also like to commend KnowBe4's exceptional customer support. They have been incredibly responsive, promptly addressing any inquiries or concerns we've had along the way.

Their dedication to ensuring our satisfaction has been outstanding. Overall, I am thoroughly impressed with KnowBe4's training and phishing service. It has become an invaluable tool in enhancing our organization's security awareness and mitigating potential risks. I wholeheartedly recommend KnowBe4 to any company seeking to strengthen their cybersecurity defenses and educate their employees about phishing threats. Thank you to the entire KnowBe4 team."

- N.V., Financial Data Specialist

The 10 Interesting News Items This Week
  1. 'Nitrogen' Ransomware Effort Specifically Targets IT Pros via Google, Bing Ads:

  2. Leading Technology Companies Agree to White House's AI Safeguards:

  3. North Korean Cyber Group Suspected in JumpCloud Breach:

  4. Former NSA insider Coker is White House pick for national cyber director:

  5. Google Chrome to offer 'Link Previews' when hovering over links:

  6. ALPHV ransomware adds data leak API in new extortion strategy:

  7. Beware Your ChatGPT Plugins:

  8. Russia Sends Cybersecurity CEO to Jail for 14 Years:

  9. Senator calls on DOJ to investigate alleged China hack of Microsoft cloud tools:

  10. The Chinese groups accused of hacking the U.S. and others:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews