CyberheistNews Vol 13 #32 [HEADS UP] Google's Huge Inactive Account Deletion - What You Need to Know

Cyberheist News

CyberheistNews Vol 13 #32  |   August 8th, 2023

[HEADS UP] Google's Huge Inactive Account Deletion - What You Need to KnowStu Sjouwerman SACP

Google announced an update to their inactive account policies in May. Accounts that have been inactive for a period of two years or more will start being deleted in December 2023, at the earliest.

This policy change is meant to enhance security, as abandoned accounts are more likely to be compromised and 10x less likely to have multi-factor authentication enabled. The policy applies to content within Google Workspace (Gmail, Docs, Drive, Meet, Calendar) and Google Photos.

A few ways to keep an account status active include reading or sending an email, using Google Drive, watching a YouTube video, downloading an app on the Google Play Store, using Google Search and more. Google's announcement post gives more details around affected accounts, backup instructions and more.

While account deletion isn't set to begin for several months, notification emails have started going out to account owners. We haven't seen them yet, but this is prime fodder for phishing attacks that impersonate Google. It's only a matter of time before cybercriminals use this news to scam people into going to malicious websites, where their Google account credentials can be harvested.

You should warn your users now to keep them aware of potential attacks. Any urgent account alert emails should be scrutinized closely. Instead of clicking a link in an email, it's best to go directly to Google accounts that could be affected by this policy change.

New-school security awareness training enables your users to make smarter security decisions so they can avoid falling for social engineering attacks.

Blog post with links:

The Dark Side of AI: Unmasking its Threats and Navigating the Shadows of Cybersecurity in the Digital Age

Artificial Intelligence (AI) has come roaring to the forefront of today's technology landscape. It has revolutionized industries and will modernize careers, bringing numerous benefits and advancements to our daily lives.

However, it is crucial to recognize that AI also introduces unseen impacts that must be understood and addressed for your employees and your organization as a whole.

Join James McQuiggan, Security Awareness Advocate at KnowBe4, for this thought-provoking webinar where he'll discuss the unforeseen threats of AI and how to protect your network.

During this webinar, you'll:

  • Gain insights into the risks associated with AI and their implications for critical domains
  • Understand the dangers of prompt injection attacks and their impact on data integrity
  • Discover ways to combat the spread of conspiracy theories and misinformation generated by AI
  • Learn how training your users to recognize malicious technology is the best, last line of defense

Do you want to get on the bright side of AI? Watch this webinar to learn how and earn CPE credit for attending!

Date/Time: TOMORROW, Wednesday, August 9, @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!

Amazon Sends Email to Customers on Common Scam Tactics

We've reported on several Amazon scams, but for once, there is positive news. Amazon sent an email Thursday morning highlighting the top scams your users should watch out for:

Prime Membership Scams
Per Amazon, "These are unexpected calls/texts/emails that refer to a costly membership fee or an issue with your membership and ask you to confirm or cancel the charge. These scammers try to convince you to provide payment or bank account information in order to reinstate a membership."

Account Suspension/Deletion Scams
Per Amazon, "Scammers send texts, emails and phone calls stating that your account will be suspended or deleted and prompt you to click on a fraudulent link or verbally provide information to "verify your account." Customers who land on these pages or receive these phone calls are then lured to provide account information such as payment information or account login credentials."

Amazon noted that they will never ask you to disclose any confidential information from you over the phone or on any website other than

They also included some helpful tips to identify these types of scams and how to keep your account safe online:

  • Trust Amazon-owned channels - Always go through the Amazon mobile app or website when seeking customer service, tech support, or when looking to make changes to your account.
  • Be wary of false urgency - Scammers may try to create a sense of urgency to persuade you to do what they're asking. Be wary any time someone tries to convince you that you must act now.
  • Never pay over the phone - Amazon will never ask you to provide payment information, including gift cards (or "verification cards," as some scammers call them) for products or services over the phone.
  • Verify links first - Legitimate Amazon websites contain "amazon[.com]" or "amazon[.com]/support." Go directly to our website when seeking help with Amazon devices/services, orders or to make changes to your account.

If you receive communication — a call, text, or email — that you think may not be from Amazon, you can report it at amazon[.com]/reportascam. Remember, your employees are your last line of defense. Teach your users how to spot and report these popular scams.

Blog post with links:

[New Product] Boost Your Email Security Defense - PhishER Plus to the Rescue!

Phishing remains the most widely used cyberattack vector, and cybercriminals keep getting craftier. But recent data shows phishing attacks successfully slipped past security email gateways a whopping 56% of the time.

That's why we've introduced PhishER Plus, the ultimate anti-phishing platform designed to level up your defense!

Identify and Respond to Email Threats Faster
PhishER Plus is a simple and lightweight SOAR platform that helps you manage the high volume of suspicious email messages reported by your users. Powered by a unique, human-curated and AI-validated global threat feed, PhishER Plus gives you a leg up to manage all those messages, spot legit emails from potential dangers, and prioritize like a pro.

Proactively Defend Against Phishing Attacks
Thanks to the Global Blocklist for Microsoft 365, fueled by 10 million+ highly trained KnowBe4 users, PhishER Plus blocks known threats reported by others from reaching your mail server. There's more - Global PhishRIP automatically quarantines malicious emails other PhishER customers have "ripped" from user inboxes, stopping them before you can even blink.

Ready to Experience the Power?
Join us Wednesday, August 16, @ 2:00 PM (ET) for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.

With the PhishER Plus platform you can:

  • NEW! Use crowdsourced intelligence from more than 10 million users to block known threats before you're even aware of them
  • NEW! Automatically isolate and "rip" malicious emails from your users' inboxes that have bypassed mail filters
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easily integrate with KnowBe4's email add-in, Phish Alert Button, or forward to a mailbox

Date/Time: Wednesday, August 16, @ 2:00 PM (ET)

Save My Spot!

Advanced Phishing Campaign Exploits 3rd Parties

Researchers at BlueVoyant warn that attackers are increasingly adding an extra step to their phishing campaigns, impersonating third parties to lend credibility to the scams.

"Third-party phishing sites…will include some characteristics of the original flow, with an added step – the initial impersonation that establishes credibility to the end user is a service that is not connected to the targeted organization," the researchers write.

"Furthermore, the third-party phishing page itself won't ask the victim to submit their personal credentials. The fraud occurs in the final phishing page to which the client has been redirected, impersonating the chosen financial institution."

BlueVoyant has seen a significant spike in this technique over the past year. "Third-party phishing websites are spread on a massive scale across the internet," the researchers write. "Over the past year, BlueVoyant has witnessed a major increase in the number of phishing sites originating in third-party phishing campaigns.

"One major European client saw an increase from just 2% of all detected phishing attacks in 2022 to 21% in 2023... It now permeates across a number of sectors: e-commerce, logistics and shipping, mobile carriers, government institutions, payment transaction platforms, and more."

The use of intermediate sites helps the attackers avoid detection by security tools. "Third-party phishing adds a new wrinkle to the oldest trick in the book," the researchers write. "Intermediary sites directing victims to various different phishing sites provides two benefits to attackers: it allows them to cast a wider net and catch more fish (so to speak), and it provides another degree between them and threat hunters who may be on their trail.

"We've previously published research highlighting how attackers use redirects as an evasion mechanism – third-party phishing builds on that concept, while also giving the threat actor a greater chance of ensnaring their targets."

Blog post with links:

Experience Black Hat with KnowBe4

You won't want to miss KnowBe4 at Black Hat this year! We are bringing an amazing lineup and exclusive swag to booth #1820 that you won't find anywhere else.

Here's a sneak peek of what to expect:

  • Exclusive Free Kevin Swag: We honor and remember Kevin Mitnick and his legacy, both at KnowBe4 and in the cybersecurity community.
  • In-Booth Cybersecurity Thought Leadership Talks: These short sessions will give you actionable takeaways to level up your security awareness training program.
  • Custom Hat Press: A fan-favorite from last year is back! Be sure to swing by, choose your favorite hat and patch, and we'll put it together for you.
  • Speaking Session: The Top 10 Security Awareness Program Fails -- and How to Fix Them: In this session, Perry Carpenter, KnowBe4's Chief Research and Strategy Officer and author of "The Security Culture Playbook," will break down the top 10 security awareness fails, provide practical guidance on how to avoid falling into traps and pitfalls, and share interesting data from an internal study of over 30 million trainees.

Plus, so much more! See the full agenda and mark your calendar for your favorites.

Experience Black Hat with KnowBe4

Can't make it? Make sure to follow our LinkedIn page so you don't miss out on a live stream each day of the conference!

New ATLAS for AI and ML is Modeled After the MITRE ATT&CK Framework

This is interesting. While MITRE ATT&CK has been widely adopted and used by security practitioners, researchers, and vendors for threat intelligence, detection, and response, ATLAS is a newer initiative that aims to raise awareness and provide guidance for securing ML systems against adversarial threats.

ATLAS framework for AI and ML here:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [BUDGET AMMO] Inside The Organizational Structure Of A Modern Ransomware Syndicate:

PPS: Cybercriminals now train AI chatbots for phishing, malware attacks:

Quotes of the Week  
"Treat those who are good with goodness, and also treat those who are not good with goodness. Thus goodness is attained. Be honest to those who are honest, and be also honest to those who are not honest. Thus honesty is attained."
- Lao Tzu - Philosopher (604 - 531 BC)

"Simple, genuine goodness is the best capital to found the business of this life upon. It lasts when fame and money fail, and is the only riches we can take out of this world with us."
- Louisa May Alcott (1832 - 1888)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

CISA Discovers Spear Phishing and Valid Account Compromise Are the Most Common Attack Vectors

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has found that compromise of valid accounts and spear phishing attacks were the two most common vectors of initial access in 2022, Decipher reports. Valid accounts were compromised in 54% of successful attacks.

"Valid accounts can be former employee accounts that have not been removed from the active directory or default administrator accounts," CISA said. "When organizations do not change default passwords, threat actors can compromise a valid administrator account.

"In many cases, this attack technique is possible because the valid account allowed unauthorized users to install or execute insecure software (such as unpatched or out-of-date software) on a system or network."

The report found that spear phishing links were successful in 33% of attacks.

"Successful spear phishing requires an attacker's malicious email to pass through network border protections and deliver malware to execute on the local host," CISA says. "Host-level protection stops spear phishing attempts as they pass through network perimeter protection. At the network border level, CISA observed 13% of spear phishing attempts blocked.

At the host or endpoint level, CISA observed 78% of links or attachments blocked, preventing the execution of a malicious activity. A cyber threat actor's success rate with this type of attack depends on factors, such as the perceived authenticity of the email's content and presentation, host protections (e.g., antivirus and malware detection software), and the network's boundary protection mechanisms."

CISA offers the following recommendations for organizations to defend themselves against these attacks:

  • "Implement a secure password policy requiring phishing-resistant multi-factor authentication (MFA) for remote access, strong passwords, unique credentials, and the separation of user and privileged accounts, effectively revoking unnecessary or inactive accounts.
  • "Configure email servers to filter out and block emails with malicious indicators and implement authentication protocols, such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to prevent spoofed or modified emails.
  • "Implement a phishing awareness training program that includes guidance on identifying phishing attacks and how personnel should report suspected phishing attempts and verified incidents."

New-school security awareness training can teach your employees to follow security best practices so they can avoid falling for social engineering attacks.

Blog post with links:

Bad Actor Uses Fake Android Chat to Install Malware

Researchers at CYFIRMA warn that the Bahamut threat actor is using a malicious Android app to deliver malware.

"The suspected Android malware, known initially as 'CoverIm' was delivered to victims via WhatsApp, and was found to be disguised as a dummy chatting application named 'SafeChat,'" the researchers write. "The user interface of this app successfully deceives users into believing its authenticity, allowing the threat actor to extract all the necessary information, before the victim realizes that the app is a dummy, the malware cleverly exploits unsuspecting Android Libraries to extract and transmit data to a command-and-control server."

After the app is installed, it will continually ask the user to grant it accessibility permissions. "Once the user clicks on 'Allow'...the app takes the user to the accessibility page and asks the victim to enable accessibility for the Safe Chat app," the researchers write. "Once the accessibility is on, then the malware will capture activity on screen including keystrokes. Until it is enabled, the app will throw a pop-up message again and again."

While Bahamut was previously believed to be a mercenary group, CYFIRMA believes the threat actor is based in India and works for a single nation-state government.

"In this specific attack, the threat actor conducted targeted spear messaging attacks on WhatsApp Messenger, focusing on individuals in the South Asia region," the researchers write. "The malicious payload was delivered directly through WhatsApp chat. The attack on the individual served the interest of one nation state government.

"The nature of this attack, along with previous incidents involving APT Bahamut, possibly indicate that it was carried out to serve the interests of one nation state government. Notably, APT Bahamut has previously targeted Khalistan supporters, advocating for a separate nation, posing an external threat to India."

Blog post with links:

What KnowBe4 Customers Say

"Hi Stu, good afternoon, hope you are well. We have been actively using KnowBe4 for our training and phishing simulation services, and the results have been fantastic.

The staff has responded very well to the training, and we're delighted with the outcome. One of the aspects we particularly appreciate is the automated reporting feature, which makes it much easier for us to identify areas of concern and address them promptly.

Additionally, the ability to brand the product according to our organization's needs has been a significant advantage. Overall, there is a positive impact of KnowBe4, and we are excited about continuing to educate all our employees with the platform's help.

Thank you for providing such a valuable service! Thank you."

- G.V., IT Security Administrator

The 10 Interesting News Items This Week
  1. [CERF'S UP] Large Language Models. By Vinton G. Cerf:

  2. U.S. Hunts Chinese Malware That Could Disrupt American Military Operations:

  3. Microsoft downplays damaging report on Chinese hacking its own engineers vetted:

  4. White House releases strategy to expand the U.S. cyber workforce:

  5. New SEC 4-day Data Breach Rule Materiality Definition Seen as Tough Task:

  6. No evidence ransomware victims with cyber insurance pay up more often, UK report says:

  7. FBI, CISA, and NSA reveal top exploited vulnerabilities of 2022:

  8. TSA updates gas pipeline cybersecurity guidelines:

  9. Midnight Blizzard conducts targeted social engineering over Microsoft Teams:

  10. Why the California Delete Act Matters:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews