CyberheistNews Vol 13 #40 Why BJ Fogg and Daniel Kahneman Are Big Security Pro Must-Knows

Cyberheist News

CyberheistNews Vol 13 #40  |   October 3rd, 2023

Why BJ Fogg and Daniel Kahneman Are Big Security Pro Must-KnowsStu Sjouwerman SACP

You're no stranger to the complexities of safeguarding your organization's digital assets. But have you considered the human element in your security equation? Behavioral economics, particularly the work of BJ Fogg and Daniel Kahneman, offers invaluable insights that can elevate your security awareness training against social engineering attacks.

BJ Fogg's Behavior Model outlines that for any behavior to occur, three elements must converge: motivation, ability, and triggers. In your role, you can leverage this model to understand why an employee might fall for a phishing scam. They're motivated to be efficient, find it easy to click a link, and are triggered by an email that seems urgent or legitimate.

Awareness training that incorporates Fogg's principles can equip your staff to recognize these elements and think critically before taking potentially compromising actions.

Then there's Daniel Kahneman, who introduced the concepts of "System 1" and "System 2" thinking. System 1 is quick and automatic, while System 2 is slower and more analytical. Social engineering often exploits quick, System 1 thinking. Your training programs can benefit from Kahneman's insights by teaching your team to engage their analytical System 2 thinking when faced with suspicious activity.

Now, let's talk about the "human firewall." This isn't just a buzzword; it's your last line of defense. By integrating behavioral economics into your security awareness training, you're not just throwing facts and protocols at your team; you're teaching them to understand the why behind their actions. This makes your human firewall more robust and harder for bad actors to penetrate.

The upshot is that the theories of Fogg and Kahneman aren't just academic; they're practical tools that can significantly bolster your security posture. Given the dynamic landscape of cyber threats, it's not just advisable but critical for you to invest in building a strong security culture within your organization. This isn't a side project; it's a high-priority initiative that directly impacts the safety and integrity of your network.

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links and a book recommendation that will help you to pass your SACP Certification:

[NEW FEATURES DEMO] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, October 4, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Content Manager lets you easily customize your training content preferences including branding, adjustable passing score, test out and more
  • NEW! 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • Executive Reports helps you create, tailor and deliver advanced executive-level reports
  • See the fully automated user provisioning and onboarding

Find out how 65,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, October 4, @ 2:00 PM (ET)

Save My Spot!

[Heads Up] China Invests Billions in Huge Global Disinformation Campaign

Dustin Volz from the WSJ dropped a huge scoop this week. This is rocket fuel infosec budget ammo I would send to my C-suite in a New York minute.

They said: "Fake authors, bot armies and lawsuits are among the tactics Beijing employs to reshape the information landscape." Here are a few paragraphs of the article and then there's a link to the whole thing below:

"Beijing has invested billions of dollars to construct an information ecosystem in which PRC propaganda and disinformation gain traction and become dominant," said the report released Thursday by the State Department's Global Engagement Center.

"The Chinese government is pouring billions of dollars annually into a global campaign of disinformation, using investments abroad and an array of tactics to promote Beijing's geopolitical aims and squelch criticism of its policies, according to a new State Department assessment.

"Beijing's broad-ranging efforts, the assessment said, feature online bot and troll armies, legal actions against those critical of Chinese companies and investments and content-sharing agreements with media in Latin America and Africa.

"Other tactics include laundering English-language articles written by fake authors in influential local media and placing diplomatic pressure on foreign universities and newspapers that publish content deemed offensive.

"China, which has a close partnership with Russia, has also used its information apparatus to reinforce the Kremlin's narratives on the Ukraine war. China has amplified Russia's false claims that Kyiv has been operating secret biological warfare laboratories, and has echoed Moscow's claims that the expansion of the North Atlantic Treaty Organization instigated the war."

Yet another reason to train your workforce to recognize disinformation.

Blog post with links:

Open-Source Intelligence (OSINT): Learn the Methods Bad Actors Use to Hack Your Organization

They are out there, watching and waiting for an opportunity to strike - the bad actors who have carefully researched your organization in order to set the perfect trap using easily found public resources.

Open-Source Intelligence (OSINT) can provide cybercriminals everything they need to know to perfectly target your users by gathering data on everything from password clues to tech stack details, banking/credit card accounts, social media details and more. Emerging technologies like AI can make gathering this intelligence even easier.

Join Rosa Smothers, former CIA Cyber Threat Analyst and Technical Intelligence Officer, now KnowBe4's SVP of Cyber Operations, as she reveals the OSINT techniques employed by cybercriminals that can help you protect your organization before disaster strikes.

In this special Cybersecurity Awareness Month webinar, you'll learn:

  • What apps and analytic techniques can enhance your research and data interpretation
  • Real-world demonstrations of how to conduct (legal!) OSINT gathering techniques the hackers are using on you
  • How to deploy penetration testing exercises to map an attack surface
  • How to conduct cyber investigations of your own
  • How understanding OSINT and training your users can help build your human firewall

Learn how to use the cybercriminals' best techniques before they do!

Date/Time: Wednesday, October 11, @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!

How Zero-Point Fonts in Phishing Emails Make Them Look Safe

Attackers are using zero-point fonts to make phishing emails appear as though they've been verified by security scanners, BleepingComputer reports.

While attackers have used zero-point fonts in the past to evade security filters, ISC SANS analyst Jan Kopriva found that threat actors can use these fonts to trick users as well.

"Modern email clients commonly display received email messages in a layout containing two side-by-side windows – one showing the list of received (or sent, drafted, etc.) messages and the other showing the body of a selected message," Kopriva explains.

Kopriva found that email applications will show the beginning text of an email in the sidebar listing, even if the text is size zero. In this case, the text stated, "Scanned and secured by Isc®Advanced Threat protection (APT)," BleepingComputer notes, "The goal is to instill a false sense of legitimacy and security in the recipient. By presenting a deceptive security scan message, the likelihood of the target opening the message and engaging with its content rises."

Kopriva adds that this technique adds another layer of legitimacy to a phishing email. "While I wouldn't be surprised if this technique has been used before, this was the first time I came across it," Kopriva says. "Although it is a technique with only minor impact, it might still confuse some recipients into believing that a phishing message is trustworthy – especially if the text displayed in the "listing window" was well chosen.

"It is, in any case, one more small addition to the threat actor toolbox which may be used to create more effective phishing campaigns, and it is therefore certainly good for us – as defenders – to be aware of it…Furthermore, since it is currently being used 'in the wild,' it might not be a bad idea to mention it in any phishing-oriented security awareness courses."

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

Cybersecurity Awareness Month Is Here! Are You Prepared?

Cyber threats can be scary, and for good reason. Malware can be lurking in a suspicious email your users get convinced to click. All it takes is one crack in the door of your network to let all the wrong ones in; spear phishing witches, ravenous ransomwolves, you name it!

But never fear! While torches, pitchforks and silver bullets never put down a data breach, a resilient security culture in your organization is your best bet for keeping the beasts at bay. That's why we've put together these free resources you can use throughout the entire month of October to help your users keep up their cybersecurity defenses. Request your free resource kit now!

Here is what you'll get:

  • Access to free resources for you including our most popular on-demand webinar and whitepaper
  • Resources to help you plan your activities, including your Cybersecurity Awareness Month User Guide and Cybersecurity Awareness Weekly Planner
  • NEW! Featured video module for your users: "Security Culture and You;" plus seven additional video and interactive training modules, all available in multiple languages
  • NEW! Four security hints and tips newsletters; plus additional security docs and awareness tips, all available in multiple languages
  • NEW! Five cyber-monster character cards and posters; plus additional posters and digital signage assets available in multiple languages

Get Your Free Cybersecurity Awareness Month Resource Kit Now!

Top Five Roundup of Important News This Week

WSJ report states that cybersecurity budgets continue grow, but at a slower pace:

Jen Easterly from CISA makes a strong case for the CEO owning and managing cyber risk in her introduction of Cyber Security Awareness Month and CISA PSAs:

Ransomware Insurance Claims From Businesses Hit Historic High:

Exploring the EU's DORA: Key Takeaways from the New Europe Financial Sector Risk Regulation:

WSJ makes startling observation that not enough boards have directors with cyber experience. 88% of companies in the S&P 500 index have no cyber expert as a director:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [NEW FEATURES Video]: KMSAT Quarterly Product Update:

PPS: [CRITICAL NEW CAPABILITY] Video: PhishER Quarterly Product Update (September 2023):

Quotes of the Week  
"You're braver than you believe, and stronger than you seem, and smarter than you think."
- A.A. Milne - Writer (1882 – 1956)

"Once you replace negative thoughts with positive ones, you'll start having positive results."
- Willie Nelson - Musician (born 1933)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Executives Are More Likely to Click on Malicious Links

A report from SoSafe has found that senior executives are 60 percent more likely to click on malicious links than lower-level employees, BetaNews reports. The report also found, however, that executives are more likely to report suspicious emails than their employees.

Additionally, SoSafe observed slight improvements in the number of employees who click on malicious attachments. "For cybercriminals, a highly scalable approach to making their phishing attacks more successful is making technical changes to the emails' format, whether it is in the form of an attachment, link, reference to an input mask, or imitating a reply-/forward-chain," the report says.

"All these vectors continue to work very well, although the overall success rates of technically adjusted phishing emails are on the decrease compared to previous years. Notably, users seem to have become more careful with attachments, resulting in an 8 percent click rate decrease from 2022."

The researchers add, however, that "[a]s more traditional attack methods like attaching a malicious file are starting to lose their relevancy and click rates are dropping, attackers will begin to shift from technical mass manipulation to more sophisticated techniques."

SoSafe notes a shift in social engineering tactics as attackers lean toward evoking negative emotions. "Although provoking positive emotions through praise and helpfulness generally yields higher click rates, there has been a slight increase in the success of tactics that generate negative emotions like imposing authority, pressure, and making financial appeals," the researchers write.

"This suggests that users have become more susceptible to this kind of emotional manipulation and exploitation. One possible explanation for this trend: Society has seen a massive number of crises and conflicts over the past year, and citizens are anxious and unsettled – making it easier for criminals to evoke negative reactions."

BetaNews has the story:

Drone Manuals as Phishbait. (You Can Guess Who Is Sending Those).

Securonix is tracking a phishing campaign that's targeting the Ukrainian military with malware-laden attachments posing as drone instruction manuals. The threat actor is using Microsoft help files (.chm) to deliver the malware.

"The malicious .chm file was intentionally weaponized to execute a PowerShell one-liner on the victim machine," the researchers write. "Microsoft help files have been used maliciously in the past, though today they are less common as Microsoft stopped supporting the .chm file format in 2007.

"They can, however, be opened and executed in modern Windows versions.... Code execution through a .chm file is a well known technique and there are several online tools available for building one. It works by passing in special HTML parameters which can call a child process such as cmd[dot]exe or the powershell executable, along with command line arguments."

The researchers continue, "The payload is an obfuscated binary that gets XOR'd and decoded to produce a beacon payload for MerlinAgent malware. Once the payload establishes communication back to its C2 server, the attackers would have full control over the victim host. While the attack chain is quite simple, the attackers leveraged some pretty complex TTPs and obfuscation methods in order to evade detection."

Securonix notes that the social engineering aspect of the campaign allows the documents to bypass technical defenses. "It's apparent that this attack was highly targeted towards the Ukrainian military given the language of the document, and its targeted nature," the researchers write.

"Files and documents used in the attack chain are very capable of bypassing defenses, scoring 0 detections for the malicious .chm file. Typically receiving a Microsoft help file over the internet would be considered unusual. However, the attackers framed the lure documents to appear as something an unsuspecting victim might expect to appear in a help themed document or file."

Securonix has the story:

What KnowBe4 Customers Say

"I hope this letter finds you well. I wanted to take a moment to express my sincere appreciation for the outstanding job Max has been doing for KnowBe4 and our University. Your dedication, hard work, and exceptional support are greatly valued.

With your support, our security awareness program has improved significantly. We have leveraged the KnowBe4 platform more efficiently and effectively thanks to your efforts.

We are proud to have you on our team, and your contributions have played a crucial role in our success. As a token of our appreciation, we would like to formally recognize your outstanding support.

Once again, thank you for your exceptional work. We look forward to continuing to work with you to elevate our security posture to new heights."


"Hi Stu, I am writing to let you know how pleased I am with the KMSAT security awareness training tools and support provided by KnowBe4 over these past years.

In the past months, I have had the pleasure of working with Customer Success Manager Caveeta P. With her support and follow-thru, our Center has completed trainings and recently reached 100% for each month up to September 2023, with a big push this past summer in particular.

Also, she has provided support to me in my advocacy to management on the importance of these security awareness trainings, that all staff should be enrolled in periodic trainings, and for staff to complete them in a timely manner.

It has been nice to team up with Caveeta to stay on top of making sure that campaigns are current…and for our experience using KnowBe4's platform to be a successful one.

Again, I am pleased with the KMSAT training tools, support provided by KnowBe4, and my experience working with Caveeta. Thank you."

- L.I., Office Manager & Systems Admin

The 10 Interesting News Items This Week
  1. FBI Warns of New Dual Ransomware Trend Accelerating Attack Speed:

  2. CIA Builds Its Own Artificial Intelligence Tool in Rivalry With China:

  3. CISA: Chinese Hackers Target U.S. Businesses Through Routers, Officials Warn:

  4. NSA is creating a hub for AI security, Nakasone says:

  5. Initial Access Broker Targeting Organizations With Microsoft Teams Phishing Attacks:

  6. Bermuda's premier attributes system outages to 'Russia-based' attackers:

  7. Cybersecurity Mistakes That Have Nothing To Do With Technology—And How Companies Can Fix Them via @forbes:

  8. ShadowSyndicate hackers linked to multiple ransomware ops, 85 servers:

  9. KnowBe4 Finds U.S. Healthcare a Top Target For Cyber Attacks:

  10. Lazarus hackers breach aerospace firm with new LightlessCan malware:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews