KnowBe4 Security Awareness Training Blog

CyberheistNews Vol 13 #33 [INFOGRAPHIC] Uncovered: Top-Clicked Q2 Phishing Tests Are from Your HR

Written by Stu Sjouwerman | Aug 15, 2023 1:00:00 PM
CyberheistNews Vol 13 #33  |   August 15th, 2023

[INFOGRAPHIC] Uncovered: Top-Clicked Q2 Phishing Tests Are from Your HR

KnowBe4's latest reports on top-clicked phishing email subjects have been released for Q2 2023. We analyze "in the wild" attacks reported via our Phish Alert Button, top subjects globally clicked on in phishing tests, top attack vector types, and holiday email phishing subjects.

This last quarter's results reflect the popularity of HR-related email subjects such as vacation policy notifications, dress code changes and past due training alerts that can affect end users' daily work.

The threat of phishing emails remains as high as ever as cybercriminals continuously tweak their messages to be more sophisticated and seemingly credible, now with the help of GenAI and returning to the office.

The trend of phishing emails revealed in the Q2 phishing report is especially concerning, as 50% of these emails appear to come from HR – a trusted and crucial department of so many, if not all organizations.

These disguised emails take advantage of employee trust and typically incite action that can result in disastrous outcomes for the entire organization. New-school security awareness training for employees is crucial to help combat phishing and malicious emails by educating users on the most common cyber attacks and threats. An educated workforce is your organization's best defense and is essential to fostering and maintaining a strong security culture.

Download your infographic at the blog post and share it with your users!
https://blog.knowbe4.com/q2-2023-top-clicked-phishing

[New Product] Boost Your Email Security Defense - PhishER Plus to the Rescue!

Recent data shows phishing attacks successfully slipped past security email gateways a whopping 56% of the time. That's why we've introduced PhishER Plus, the ultimate anti-phishing platform designed to level up your defense!

PhishER Plus is a lightweight SOAR platform that helps you manage the high volume of suspicious messages reported by your users while proactively blocking and quarantining known threats reported by highly trained KnowBe4 users.

Ready to Experience the Power? Join us TOMORROW, Wednesday, August 16 @ 2:00 PM (ET) for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.

With the complete PhishER Plus platform you can:

  • NEW! Use crowdsourced intelligence from more than 10 million users to block known threats before you're even aware of them
  • NEW! Automatically isolate and rip malicious emails from your users' inboxes that have bypassed mail filters
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easily integrate with KnowBe4's email add-in, Phish Alert Button, or forward to a mailbox

Date/Time: TOMORROW, Wednesday, August 16, @ 2:00 PM (ET)

Save My Spot!
https://info.knowbe4.com/phisher-demo-august-2023?partnerref=CHN2

Recent data shows phishing attacks successfully slipped past security email gateways a whopping 56% of the time. That's why we've introduced PhishER Plus, the ultimate anti-phishing platform designed to level up your defense!

PhishER Plus is a lightweight SOAR platform that helps you manage the high volume of suspicious messages reported by your users while proactively blocking and quarantining known threats reported by highly trained KnowBe4 users.

Ready to Experience the Power? Join us TOMORROW, Wednesday, August 16 @ 2:00 PM (ET) for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.

With the complete PhishER Plus platform you can:

  • NEW! Use crowdsourced intelligence from more than 10 million users to block known threats before you're even aware of them
  • NEW! Automatically isolate and rip malicious emails from your users' inboxes that have bypassed mail filters
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easily integrate with KnowBe4's email add-in, Phish Alert Button, or forward to a mailbox

Date/Time: TOMORROW, Wednesday, August 16, @ 2:00 PM (ET)

Save My Spot!
https://info.knowbe4.com/phisher-demo-august-2023?partnerref=CHN2

Most Organizations Using Weak Multifactor Authentication

Most organizations are still using weak forms of multi-factor authentication (MFA), a survey by Nok Nok has found. These forms of MFA can be bypassed if an employee falls for a social engineering attack.

"72% of organizations still use phishable MFA factors for their customer-facing applications," the researchers write. "The cost and risk of lost or stolen data, business, and funds from compromised accounts is motivating organizations to make MFA mandatory for their customers. Unfortunately, they haven't gone far enough and still rely on the weakest forms of phishable MFA: SMS and one-time email codes."

The survey also found that more than three-quarters of organizations fell victim to account compromises over the past year.

"76% of organizations experienced multiple account or credential compromises over the past 12 months," the researchers write. "Organizations face a multitude of disparate attack vectors targeting weak authentication methods. Unfortunately, organizations are still not prepared to respond to account or credential compromise, and thus multiple incidents have become the norm."

Attackers can use brute force attacks to guess passwords, so they're now focused on defeating multifactor authentication. "With the availability of low cost cloud CPUs to crack passwords and the prevalence of known accounts/passwords, organizations recognize that passwords are not secure," the researchers write.

"The survey revealed that traditional authentication methods, such as passwords, are not effective in the face of evolving cyber threats [this seems like a conclusion that has already been proven over the past decade. Moreover, legacy multifactor authentication (MFA) such as SMS, one time password (OTP) or email codes, has proven to be susceptible to social engineering and phishing attacks, while introducing user friction and degrading the user experience."

While any form of multifactor authentication is better than nothing, organizations need to be aware that their employees remain vulnerable to phishing attacks.

Blog post with links:
https://blog.knowbe4.com/phishable-methods-multifactor-authentication

October is Cybersecurity Awareness Month. Are You Prepared?

Cyber threats can be scary, and for good reason. Malware can be lurking in a suspicious email your users get convinced to click. All it takes is one crack in the door of your network to let all the wrong ones in; spear phishing witches, ravenous ransomwolves, you name it!

But never fear! While torches, pitchforks and silver bullets never put down a data breach, a resilient security culture in your organization is your best bet for keeping the beasts at bay. That's why we've put together these free resources you can use throughout the entire month of October to help your users keep up their cybersecurity defenses. Request your free resource kit now!

Here is what you'll get:

  • Access to free resources for you including our most popular on-demand webinar and whitepaper
  • Resources to help you plan your activities, including your Cybersecurity Awareness Month User Guide and Cybersecurity Awareness Weekly Planner
  • NEW! Featured video module for your users: "Security Culture and You;" plus eight additional video and interactive training modules, all available in multiple languages
  • NEW! Four security hints and tips newsletters; plus additional security docs and awareness tips, all available in multiple languages
  • NEW! Five cyber-monster character cards and posters; plus additional posters and digital signage assets available in multiple languages

Get Your Free Cybersecurity Awareness Month Resource Kit Now!
https://www.knowbe4.com/cybersecurity-awareness-month-resource-kit-chn

Black Hat 'Interesting AI Stuff' Roundup

There has been a tremendous amount of interesting data being released at Black Hat, and I picked a few AI-related summaries I thought were worth it to start with. More to come later:

Many questions, few answers as cybersecurity world confronts AI threats:
https://siliconangle.com/2023/08/11/report-black-hat-many-questions-answers-cybersecurity-world-confronts-ai-threats/

Black Hat 2023 Keynote: Navigating Generative AI in Today's Cybersecurity Landscape:
https://www.techrepublic.com/article/black-hat-2023-keynote/

AI's Role in Cybersecurity: Black Hat USA 2023 Reveals How LLMs Are Shaping the Future of Phishing Attacks and Defense:
https://blog.knowbe4.com/ais-role-in-cybersecurity-black-hat-usa-2023-reveals-how-large-language-models-are-shaping-the-future-of-phishing-attacks-and-defense

5 Intriguing Ways AI Is Changing the Landscape of Cyber Attacks:
https://blog.knowbe4.com/ai-changing-cyber-attack-landscape

PS: Did You Know? Compare your Phish-prone Percentage with KnowBe4's New Interactive Phishing Analysis Center by Industry and Region:
https://www.knowbe4.com/phishing-benchmarking-analysis-center?

Can You Be Spoofed?

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly "security awareness" trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. It's quick, easy and often a shocking discovery.

Find out now if your email server is configured correctly, many are not!

  • This is a simple, non-intrusive "pass/fail" test
  • We will send a spoofed email "from you to you."
  • If it makes it through into your inbox, you know you have a problem
  • You'll know within 48 hours!

Try to Spoof Me!
https://info.knowbe4.com/domain-spoof-test-1-chn

[GUIDE] Scary SEO and Waterhole Attacks: What You Need to Know Now

By Roger Grimes.

Most social engineering scams search out their potential victims, often sending emails to known email addresses, sending chat messages to them or calling known phone numbers. The attackers take an active role in seeking out and making contact with their victims.

For that reason, we often say that everyone needs to be initially suspicious of any unrequested contact, no matter how it arrives, that is requesting an action that if performed by the receiver, could harm their or their organization's interests.

CONTINUED at this blog post with links:
https://blog.knowbe4.com/be-aware-of-seo-and-waterhole-attacks


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [VIDEO] The $24 Million SIM-Swapping Hack. Four minutes you cannot miss:
https://www.youtube.com/watch?v=dM5BJxoa_q0

PPS: [LAW BUDGET AMMO] How the SEC is Transforming Corporate Cybersecurity Oversight:
https://news.bloomberglaw.com/us-law-week/how-the-sec-is-transforming-corporate-cybersecurity-oversight

Quotes of the Week  
"Those who forget history are doomed to repeat it."
- George Santayana - Philosopher (1863 – 1952)
"If you don't know history, then you don't know anything. You are a leaf that doesn't know it is part of a tree."
- Michael Crichton, Author (1942 – 2008)
Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-33-infographic-uncovered-top-clicked-q2-phishing-tests-are-from-your-hr

Security News

WIRED: 'This Disinformation is Just for You'

WIRED just came out with an article that spells out the coming tsunami of highly targeted disinformation. here is a short summary and the article is highly recommended:

The New Age of Disinformation
Generative AI is not just about creating art or writing code; it's now being used to craft custom disinformation. Hany Farid, a professor at UC Berkeley, warns that this type of personalized disinformation will soon be "everywhere." It's not just about targeting groups; individuals can be targeted too.

The Danger of AI-Generated Content
Imagine a world where AI can analyze your tweets and create content specifically designed to engage you. Sounds cool, right? But what if it's used to spread lies and propaganda? That's the concern here. Even if 99% of disinformation campaigns fail, the 1% that succeeds can wreak havoc.

The Role of Social Media Platforms
Remember how Facebook's algorithms helped spread disinformation during the 2016 election? Well, as we approach the 2024 U.S. election, AI-generated posts might be recommended to you. We're entering an era of higher-quality disinformation, tailored for specific audiences.

What Can Be Done?
The situation might seem dire, but there are steps that can be taken. People need to be aware of these threats and be cautious about the content they engage with. AI companies must also be pressured to implement safeguards. The Biden administration has even struck a deal with major AI companies like OpenAI, Google, Amazon, Microsoft, and Meta to create specific guardrails for AI tools. However, Malicious AI bots are already hitting the Dark Web.

Wrap-up
The world of AI is accelerating, and with it comes the risk of disinformation. It's like a double-edged sword, offering incredible advancements but also potential dangers. As Farid puts it, we're repeating past mistakes, but now it's supercharged with mobile devices, social media, and existing chaos.

So next time you come across online "info" that pushes your emotional buttons, take a moment to think: Is this real, or is it a product of AI's new disinformation era? Stay vigilant, stay informed, and always be ready to spot social engineering attempts.

Blog post with link to the full article:
https://blog.knowbe4.com/wired-this-disinformation-is-just-for-you

Ransomware Gangs Share Tools

Researchers at Sophos have found that the Hive, Royal, and Black Basta ransomware gangs are sharing playbooks and affiliates with each other.

"Over the course of three months beginning in January 2023, Sophos X-Ops investigated four different ransomware attacks, one involving Hive, two by Royal, and one by Black Basta, and noticed distinct similarities between the attacks," the researchers write.

"Despite Royal being a notoriously closed-off group that doesn't openly solicit affiliates from underground forums, granular similarities in the forensics of the attacks suggest all three groups are sharing either affiliates or highly specific technical details of their activities."

The researchers observed the following similarities between the attacks:

  • "The attackers created their own administrator-level accounts on hijacked Domain Controller servers using the same usernames and complex passwords too specific to have been random chance
  • "Installed persistence mechanisms for their tooling with the same names, and in the same ways
  • "employed identical pre-deployment batch scripts to lay the groundwork for the ransomware deployment
  • "Deployed the final ransomware payload using the same paradigm: Dropping a .7z archive, named after the organization that was being targeted, that contained an executable also named after the targeted organization. The .7z archive was password-protected with the same password, and deployed with the same shell command."

Sophos notes that the Royal gang has used social engineering to gain initial access to its victims' networks.

"Looking at these attacks we can see some similarities, but also some significant deviations," the researchers write. "For instance, initial access vectors vary across attacks, which may be the result of Royal purchasing access from different Initial Access Brokers (IABs) with different methods.

"In two cases, Royal leveraged a third party's access to a targeted orgs; in another case (possibly two), it used compromised VPN credentials. However, in a very different approach – possibly the result of malvertising or 'callback phishing,' both of which Royal has been known to use – a fake TeamViewer download provided an initial foothold."

New-school security awareness training can help your organization prevent ransomware attacks by enabling your employees to thwart social engineering tactics.

Sophos has the story:
https://news.sophos.com/en-us/2023/08/08/a-series-of-ransomware-attacks-made-by-different-groups-share-curiously-similar-characteristics/

Understanding 'Grokking.' Do Machine Learning Models Memorize or Generalize?

The PAIR group at Google has released a lovely explainer that goes deep into the topic of Grokking. Grokking is the dynamic process a model goes through during training that may point to a shift from memorizing to understanding. It isn't well understood in general, but this is a great introduction that covers much of the groundwork for this strange phenomenon.

PS: Grokking is a verb that was introduced by Science Fiction Writer Robert Heinlein in his 1961 book Stranger in a Strange Land. In the book, to grok is to empathize so deeply with others that you merge or blend with them.
https://pair.withgoogle.com/explorables/grokking/?

What KnowBe4 Customers Say

"Hi Stu, While it may seem like I may be a bit slow to implement, that is only because this is on top of a long list of other projects. That being said, KnowBe4 has impressed me at every step of the way. The very clever phishing sims and the absolute mountain of content to build training campaigns are absolutely great selling points, as well as SecurityCoach, the PAB, PasswordIQ, and so on, but what has been the icing on the cake has been the very smart and responsive UX/UI design, the straightforward and well-done documentation, and now the tremendous initial user feedback.

I currently have a new phishing sim running every week, and when asked I do not hide what these are for, nor that they are partly to keep everyone alert. I also started two 'training' campaigns for the Security Culture Survey and Security Assessment Proficiency Survey this last Monday, and the response has been great.

Beyond that, I am using ASAP as a loose outline more than anything, mostly adapting to fit my workload. Also, from what little I have been able to look through the training modules, these seem to be much better than the typical boilerplate training I have seen at other companies before.

Julio and Colin deserve kudos for demonstrating the product and the initial sales process, as well as Adrian to help lead my implementation focus. Please let me know if you have any questions. Thanks!"

- M.D., Technical Systems Engineer

"Hello Stu, First and foremost, please allow me to thank you for providing us with such an outstanding product and platform. I could not be happier with my choice and people like Courtney R. on your team are by far the biggest reason why I feel that way.

She has been outstanding at making sure that we are comfortable with using the platform and has done a terrific job in making sure that everything is configured and set up for success. Our training department has been provided with very detailed instructions during the train the trainer sessions and both our HR and Compliance departments are in the process of evaluating other areas of the platform for additional use cases.

Second, I would like to thank you for the personalized follow-up which again is very rare in this day and age of reduced customer service. Please know that your direct interest is very much appreciated."

- Y.L., CIO

The 10 Interesting News Items This Week
  1. Meet the Brains Behind the Malware-Friendly AI Chat Service 'WormGPT':
    https://krebsonsecurity.com/2023/08/meet-the-brains-behind-the-malware-friendly-ai-chat-service-wormgpt/

  2. The sound your keystrokes make is enough for AI to steal them — how to stay safe:
    https://www.tomsguide.com/news/the-sound-your-keystrokes-make-is-enough-for-ai-to-steal-them-how-to-stay-safe?

  3. Microsoft's AI Red Team Has Already Made the Case for Itself:
    https://www.wired.com/story/microsoft-ai-red-team/

  4. [VIDEO] Build your own private personal AI using Llama 2:
    https://www.geeky-gadgets.com/build-your-own-ai/

  5. Interpol takes down 16shop phishing-as-a-service platform:
    https://www.bleepingcomputer.com/news/security/interpol-takes-down-16shop-phishing-as-a-service-platform/

  6. Exclusive: North Korean hackers breached top Russian missile maker:
    https://www.reuters.com/technology/north-korean-hackers-breached-top-russian-missile-maker-2023-08-07/

  7. U.S. should crack down on SIM swapping following Lapsus$ attacks: DHS review:
    https://therecord.media/sim-swapping-lapsus-cyber-safety-review-board-report

  8. China hacked Japan's sensitive defense networks, officials say:
    https://www.washingtonpost.com/national-security/2023/08/07/china-japan-hack-pentagon/

  9. WSJ: ChatGPT and other generative-AI systems lower the entry barriers for hackers, experts say:
    https://www.wsj.com/articles/with-ai-hackers-can-simply-talk-computers-into-misbehaving-ad488686

  10. White House launches AI cyber challenge with $20 million in prizes to identify and fix open-source software vulnerabilities:
    https://fedscoop.com/white-house-ai-cyber-challenge-def-con/

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff