CyberheistNews Vol 13 #35 New KnowBe4 Callback Phishing Feature Boosts Your Users' Security Awareness

Cyberheist News

CyberheistNews Vol 13 #35  |   August 29th, 2023

New KnowBe4 Callback Phishing Feature Boosts Your Users' Security AwarenessStu Sjouwerman SACP

What's the Deal with Callback Phishing?
Callback phishing isn't your typical email scam. Instead of the usual suspects with bad grammar and obvious malicious links, these attacks play mind games. They set up a multi-layered trap using some smooth-talking tactics to get you to dial a fake number and spill your sensitive info.

How Do These Sneaky Attacks Actually Work?
Picture this: you get an email that seems harmless, maybe about a subscription or an invoice. But hidden inside is a phone number. You think it's legit, so you call. Surprise, surprise! You're talking to a sneaky cyber villain who knows how to sweet-talk you. They might trick you into revealing your personal info or even let them into your network. Yikes!

Simulated Callback Phishing Campaigns: What's the Drill?
Now, imagine if you could put your users' street smarts to the test. As an admin, you can use the new Callback Phishing feature in your KnowBe4 console and run a simulated callback phishing campaign to see if your employees would fall for this social engineering trick. An email lands in their inbox with a phone number and a code. If they dial that number, they'll be asked for the code. But here's the catch; enter the code, that's the first failure point, but give up additional personal or sensitive info, that's a double whammy.

What's included with KnowBe4's Callback Phishing feature?

Here's what you get:

  • Callback Phishing Templates: We've got you covered with pre-made email and audio templates curated by our team of product experts.
  • DIY Creativity: Wanna add your flair? Whip up your templates by uploading audio files or using text-to-speech magic.
  • Global Reach: Choose phone numbers from countries including the United States, Canada, Mexico, and United Kingdom.
  • Two Callback Failure Points: Your users will face two challenge points. First, they fail if they dial the number and enter the code from the email. Second, they fail if they give away any personal info—like Social Security number, Google Authenticator code, or credit card numbers.

Ready to give it a try? Boost your organization's security awareness with Callback Phishing! Callback Phishing is NOW available to KnowBe4 customers with a Diamond-level subscription.

Check out the KB article and a 1-minute video at the blog post here:

[BUDGET AMMO] By yours truly in FastCompany: "Deepfakes: Get ready for phishing 2.0"

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Thursday, September 7, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Content Manager lets you easily customize your training content preferences including branding, adjustable passing score, test out and more
  • NEW! 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • Executive Reports helps you create, tailor and deliver advanced executive-level reports
  • See the fully automated user provisioning and onboarding

Find out how 60,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Thursday, September 7, @ 2:00 PM (ET)

Save My Spot!

[Heads Up] Duolingo Users Now Targeted by Insidious Phishing Scams

Millions of users of the language learning app Duolingo should be wary of targeted phishing attacks following a recent data leak, according to Anthony Spadafora at Tom's Guide. Criminals scraped the names and email addresses of 2.6 million Duolingo users due to an exposed API bug earlier this year, and are now selling the entire dataset on underground forums.

"With a real name and valid email address in hand, hackers have all the data they need to launch targeted phishing attacks against Duolingo's users," Spadafora writes. "Unlike regular phishing emails, these messages would be much more personalized since the hackers sending them out have more information to work with.

"At the same time, they could also try to impersonate Duolingo in their messages in the hope that potential victims would be more likely to click. Besides trying to steal your money, hackers could use these targeted phishing emails to get Duolingo users to install malware on their computers or to provide their credentials or even their payment information since the service does have a paid tier called Super Duolingo."

Spadafora notes that users should watch out for the signs of social engineering attacks to protect themselves against potential scams

"In order to avoid falling victim to phishing, you need to carefully examine all of the emails that arrive in your inbox," Spadafora writes. "This means looking at the sender's address and checking to see if it's a legitimate email address used by Duolingo.

"Likewise, you'll want to be on the lookout for language that tries to instill a sense of urgency, as cybercriminals often use your emotions against you. If you're worried about losing access to your Duolingo account, you're more likely to reply or do what a scammer suggests in their phishing email."

New-school security awareness training enables your employees to make smarter security decisions and not fall for targeted social engineering attacks.

[WARN YOUR USERS] Blog post with links:

[RELATED TOPIC]: Social Engineering Is the Number One Cybersecurity Problem by Far:

Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication Methods

Inadequate authentication measures leave your digital identity vulnerable to cybercriminals. Tools like multi-factor authentication, biometrics, passwords, PINs, and tokens are all more vulnerable to attacks and social engineering than you realize. And one wrong move leaves you and your organization powerless in the face of cyber threats.

In this webinar, Roger Grimes, Data-Driven Defense Evangelist for KnowBe4, takes you through the ins and outs of authentication hacking.

He'll share:

  • A deep dive into the authentication process and why strong authentication is vital to your organization's security
  • Detailed explanations of authentication vulnerabilities for biometrics, MFA, passwords, and more
  • Real-world examples of man-in-the-middle attacks, MFA bypasses, rogue recoveries and others
  • How to empower your end users to become your best, last line of defense

Your digital identity is the gateway to your organization's most valuable assets. Watch this webinar now to learn now to keep your fortress secure, and earn CPE for attending!

Date/Time: Wednesday, September 13, @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!

Phishing Tops the List as the Most Costly Initial Attack Vector in Data Breaches

After you come to grips with the massive average cost of a data breach to an enterprise organization measured in the millions, it's time to look at the factors that increase – and lower – that cost.

According to IBM's recently-released 18th edition of their Cost of a Data Breach Report, we find that this year's average cost is $4.45 million. That's a staggering number, but what about the contributing factors? What can orgs learn beyond "don't become a victim – it's expensive"?

Let's take a look at the initial attack vectors to see how they affect the average cost. According to the report, data breaches that began with phishing – on the average – are more expensive, coming in at $4.76 million. Phishing represented the initial attack vector in 16% of the studied cases for this report, putting it in first place for the most common initial attack vector.

[BLOG POST CONTINUED] with IBM graph showing cost and frequency of data breach by initial attack vector:

[New Whitepaper] Overcoming the Phishing Tsunami: A Game-Changing Strategy for Stopping Phishing

Phishing attacks often feel like an unrelenting tsunami, flooding your organization with a never-ending deluge of threats.

Traditional methods for analyzing and mitigating phishing attacks are manual, repetitive and error-prone. These workflows slow the speed at which you can mitigate a spear phishing attack and increase the risk that phishing presents to your organization.

There is a better way. One that shifts the burden off your IT team to a unique, AI-powered system built from the ground up to automate the identification and prioritization of phishing threats and uses crowdsourced threat intelligence to improve accuracy and speed time to mitigation.

Read this whitepaper to learn:

  • The five major challenges you'll face when manually reporting, analyzing and mitigating phishing attacks
  • How the right SOAR product can provide finely-tuned, automated identification and mitigation of phishing emails
  • Why the right SOAR product is crucial to your organization's incident response plan and supercharging your existing email security filters

Download Now:

Speed of Ransomware Attacks Increased Significantly in 2023

Sophos's 2023 Active Adversary report for Tech Leaders has found that the speed of ransomware attacks has increased significantly since the beginning of 2023: "One key finding in the report is that the time available to respond to a ransomware attack has dwindled to nearly half of what it was at the start of the year.

"The median dwell time in ransomware attacks dropped from nine days in 2022 to just five days in the first half of 2023. With adversaries accelerating the execution of their attacks, defenders have less time to detect and stop them before files are encrypted."

The report also found that in all types of attacks, the average time to gain control of Active Directory is just sixteen hours. OUCH.

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Fresh Content Updates from August 2023:

PPS: Great article: Large language models, explained with a minimum of math and jargon:

BONUS AI Article: "The Economic Case for Generative AI and Foundation Models":

Quotes of the Week  
"A generation which ignores history has no past and no future."
- Robert A. Heinlein - Sci-Fi Writer (1907 - 1988)

"Formal education will make you a living; self-education will make you a fortune."
- Jim Rohn - Entrepreneur (1930 - 2009)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

[Eye-Opening] Increase of Phishing Attacks in Australia Should Alarm Organizations

Phishing attacks are on the rise in Australia, the Australian Broadcasting Corporation (ABC) reports.

"The latest figures reveal phishing is a practice that is only becoming more and more widespread," the ABC says. "Phishing was the most reported scam to Scamwatch in 2022, with the government website recording 74,573 complaints — a 4.6 per cent increase on the previous year.

"In 2022, the total financial losses from phishing reported to Scamwatch and the Australian Financial Crimes Exchange totaled $157.6 million."

Craig McDonald, founder of MailGuard, told the ABC that commodity phishing kits allow inexperienced criminals to launch sophisticated scams. "The availability of phishing and ransomware kits is one of the drivers behind the explosion in scams," McDonald says. "These are very sophisticated businesses.

"They recruit qualified coders and developers and support staff from across the globe, and offer 24/7 support for customers, because they're selling a service at the end of the day, albeit an illegal one."

McDonald also noted that the availability of AI tools like ChatGPT make it even easier for criminals to create convincing phishing emails. "One of the easiest ways to spot a scam is by looking for typos and grammatical errors," McDonald said.

"Now with ChatGPT or any one of hundreds of AI copywriting services, you can draft an email with perfect English. Plus, you can use the AI to check your code, and for loads of other skilled tasks that were previously a barrier to someone wanting to perpetrate a cybercrime attack."

Ofir Turel, professor of information systems management at the University of Melbourne, told the ABC that scammers try to get their victims to react without stopping to think rationally. "Someone gets a message," Turel said. "The message generates a sense of urgency and there are many ways to generate this … it could be fear, it could be distracting you from thinking clearly."

New-school security awareness training can give your organization an essential layer of defense by enabling your employees to thwart social engineering attacks.

Read more:

WoofLocker's Tech Support Scams Still Going Strong

The WoofLocker tech support scam campaign is still going strong six years after its start in 2017, according to researchers at Malwarebytes. The researchers say the campaign uses "the most complex traffic redirection scheme we had ever seen."

"While we still do not know a lot about who is behind this scheme, we believe it may be the work of different threat actors that specialize in their area of expertise," Malwarebytes says. "WoofLocker may very well be a professional toolkit built specifically for advanced web traffic filtering and used exclusively by one customer.

"Victims that fall for the scam and call the phone number are then redirected to call centers presumably in South Asian countries." The scam is primarily distributed through compromised adult websites, which the researchers note "plays into the scam's social engineering tactics."

"Contrary to other tech support scam campaigns that often rely on malvertising as a delivery vector, we only observed WoofLocker being distributed via a limited number of compromised websites," the researchers write. "The threat actor appears to have gained access to two categories: non adult traffic and adult traffic.

"That distinction can be seen in the unique redirection URL created for each victim with a parameter called 'nad' and 'ad' respectively. Malicious JavaScript embedded in the compromised websites is used to retrieve the WoofLocker framework directly into the DOM from one of a handful of domain names.

"The code used by WoofLocker is highly obfuscated and makes use of steganography, a technique that embeds data inside of images." If the websites determine that a visitor is worth targeting, the user will be redirected to another page with a phony warning about a computer virus.

Malwarebytes has the story:

What KnowBe4 Customers Say

"I just wanted to take a moment and tell you how Awesome Catherine R. is. Since having her as our account manager, she has helped us become much more proactive with our security awareness training and phishing campaigns than we ever were as long as we have been with KnowBe4. Our percentage ratings have been terrific since Catherine has stepped in. She is an absolute pleasure to work with and extremely attentive. Please keep her around."

- N.D., Director Of Information Technology

"Hey Stu! I appreciate your patience in waiting on my response. I want to thank Crystal for her exceptional onboarding and training. KnowBe4, compared to my previous encounters with new software implementation, has been an extraordinary and comprehensive experience. We have been quite busy over the last year as we have completed six new software implementations. KnowBe4 has been the best by far. Thank you again for your time and support!"

- K.D., IT Systems Administrator

The 10 Interesting News Items This Week
  1. [FUN] Social Engineering Meets Hacking With Prompt Hacking:

  2. Urgent FBI Warning: Rip Out Barracuda Email Gateways Vulnerable Despite Recent Patches:

  3. FBI, Air Force warn of cyberattacks on space industry by 'foreign intelligence operations':

  4. Ransomware attacks broke records in July, mainly driven by this one group:

  5. Bloomberg: 'Deepfake Imposter Scams Are Driving a New Wave of Fraud':

  6. A New Supply Chain Attack Hit Close to 100 Victims—and Clues Point to China:

  7. Ukrainian hackers claim to leak emails of Russian parliament deputy chief:

  8. OpenAI opens GPT-3.5 Turbo up for custom tuning:

  9. Attackers Dangle AI-Based Facebook Ad Lures to Hijack Business Accounts:

  10. 'This AI-generated crypto invoice scam almost got me, and I'm a security pro':

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews