CyberheistNews Vol 13 #43 | October 24th, 2023
Phishing Attacks Surge by 173% In Q3, 2023; Malware Threats Soar by 110%
A new report from Vade Secure has found that phishing attacks rose by 173% in the third quarter of 2023, while malware threats have increased by 110%.
"While hackers were busy throughout Q3, they were most active in August, sending more than 207.3 million phishing emails, nearly double the amount from July," the researchers write. "September was the second most active month for phishing (172.6 million emails), followed by July (113.4 million emails)."
Vade notes that Facebook and Microsoft remained the most commonly impersonated brands in Q3 2023. "Trends come and go, but Facebook and Microsoft have proven to be perennial favorites among hackers. Both brands have been the #1 or #2 most impersonated since 2020," the researchers write.
"While Q3 2023 didn't deviate much from the trend, it was exceptional for different reasons. Facebook was not only the most impersonated brand of the quarter (16,657 URLs), but it also experienced a 104% and 169% increase in phishing URLs compared to Q1 and Q2 2023, respectively (8,141 and 6,192).
"In this one quarter, Facebook saw more than 50% of its 2022 total (25,551). Facebook also accounted for more phishing URLs than the next seven most spoofed brands combined (16,657 vs. 16,432)."
The financial services industry saw the highest number of phishing URLs last quarter. "All industries saw a significant increase in phishing attacks," Vade says. "Cloud, social media, and financial services all saw dramatic increases of 127%, 125%, and 121%, respectively. Government experienced the greatest increase of 292%, while e-commerce and logistics also grew by 62%. Only internet/telco experienced a decline (-29%)."
"Overall, financial services accounted for the highest total of phishing URLs, followed by cloud, social media, e-commerce/logistics, internet/telco, and government."
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Blog post with links:
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, November 1, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.
- NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
- NEW! Content Manager lets you easily customize your training content preferences including branding, adjustable passing score, test out and more
- NEW! 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
- Executive Reports helps you create, tailor and deliver advanced executive-level reports
- See the fully automated user provisioning and onboarding
Find out how 65,000+ organizations have mobilized their end users as their human firewall.
Date/Time: Wednesday, November 1, @ 2:00 PM (ET)
Save My Spot!
Phishing-as-a-Service: As Simple as Uploading a Logo
Researchers at Fortra are tracking "Strox," one of the most popular phishing operations of the past two years. Users of Strox phishing kits can easily create phishing campaigns by simply submitting a logo for the brand they want to impersonate.
"Currently, twelve phishing kits are sold on Strox for $90 USD each. A purchase of one of these kits includes a unique API key that promises the buyer continued development and updates of the page content and antibot information," Fortra says.
"Customers are able to view demo phishing pages before buying them for use and may customize which pages are active when an attack is live. In all available kits, phishing content auto translates its language to match the selected language of the victim's browser. The service claims that over 230 languages are available."
Strox kits are easy to use and highly automated, allowing users to run multiple phishing campaigns simultaneously.
"All scam kits available from Strox include a real-time admin panel which allows the phisher to control and monitor their active attacks," the researchers write. "Logging information on the pages provides a live look at the number of people currently looking at phishing content and the actions that are being taken."
"This functionality is also leveraged in man-in-the-middle style attacks to obtain two-factor authentication codes and bypass additional security checks. When the threat actor is not available to monitor phishing attacks, they may opt to set phishing attacks to a dormant state. This measure may prevent pages from being detected during times when they are unproductive."
Notably, Strox also offers to set up bulletproof hosting infrastructure for customers' phishing campaigns for just three dollars per day. Scary.
Blog post with links:
Can You Be Spoofed?
Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?
Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly 'security awareness' trained.
KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. It's quick, easy and often a shocking discovery.
Find out now if your email server is configured correctly; many are not!
- This is a simple, non-intrusive "pass/fail" test.
- We will send a spoofed email "from you to you".
- If it makes it through into your inbox, you know you have a problem.
- You'll know within 48 hours!
Try to Spoof Me!
Cyber Insurers Note Ransomware Claims Rose Significantly in the First Half of 2023
Cyber insurers are claiming that cybercriminals made ransomware attacks popular again in 2023 after a slight break in 2022. According to cyber insurer Coalition's 2023 Cyber Claims Report, claims frequency increased by 27% in the first half of this year compared to the second half of 2022.
Additionally, cyber insurer Resilience Cyber Insurance Solutions' mid-year report showed a similar trend with 16.2% of its total claims were related to ransomware attacks. As a result, the cyber insurer saw a 1,100% increase in ransomware incidents from Q2 of 2023 compared to the same time period in 2022.
But not every cyber insurer is humming the same tune — Liberty Mutual is stating that the frequency and severity of ransomware attacks have decreased after a peak from 2019 to 2021. Their reasoning as to why? They have seen an increase in cybersecurity defense investment in an effort to stop ransomware in its tracks.
Although additional cybersecurity measures have taken place, cyber insurer Resilience believes that this has allowed bad actors to shift their hacker behavior. High-profile companies and third-party service providers are the new targets, as it only takes one employee to fall victim to a cyber attack.
With the increase in impact and severity, this is only going to give cyber insurers an excuse to increase their rates. The only way to truly protect your organization is new-school security awareness training. Educate your users on how to spot and report suspicious ransomware attacks before it's too late.
Blog post with links:
[NEW WHITEPAPER] The Future of Phishing Defense: AI Meets Crowdsourcing
Rising phishing attacks and targeted spear phishing campaigns expose infosec professionals like you to an expanding attack surface, demanding more vigilant security measures.
You need a "tip-of-the-spear," proactive approach to mitigate real-world phishing attacks and targeted spear phishing campaigns. This is possible with the power of AI combined with crowdsourced knowledge from one of your most valuable assets: your users.
This whitepaper will explore the limitations of strictly technical controls and make the case for efficient, smart use of AI teamed with hard-won human intelligence to mitigate phishing threats.
Read this whitepaper to learn:
- The limitations of relying solely on antiquated, technology-based platforms
- Why a proactive approach, rather than strictly defensive, is vital for phishing mitigation
- The importance of crowdsourcing and making users part of the team
- Actionable advice to help you make the most out of your user- and technology-based resources
U.S. Government: "Implement User Training on Social Engineering and Phishing Attacks"
October 18, 2023, the Cybersecurity Infrastructure and Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint guide, "Phishing Guidance: Stopping the Attack Cycle at Phase One".
High on the list of mitigations, they recommend user training: "Implement user training on social engineering and phishing attacks. Regularly educate users on identifying suspicious emails and links, not interacting with those suspicious items, and the importance of reporting instances of opening suspicious emails, links, attachments, or other potential lures."
We could not agree more. Excellent budget ammo. Here is the blog post:
Let's stay safe out there.
Stu Sjouwerman, SACP
Founder and CEO
P.S.: Some good news finally. The Ragnar Locker ransomware developer was arrested in France:
P.P.S.: KnowBe4 has a batch of free Resource Kits that are super popular. Check them out here:
- Heracleitus, (540 BC - 480 BC)
- Mahatma Gandhi — Leader (1869 - 1948)
You can read CyberheistNews online at our Blog
The NSA Offers Advice for Defending Against Phishing
As mentioned above, a new report from the U.S. National Security Agency (NSA) and its partners outlines recommendations for organizations to thwart phishing and other social engineering attacks. Here are more details. The report says organizations, particularly small and medium-sized businesses, should implement the following policies:
- "Implement strong password policies to authenticate users. These passwords must adhere to a password strength policy, which requires minimum character length, numbers, special characters, and case sensitivity, along with prohibiting users from recycling previously used passwords."
- "Implement DNS filtering or firewall denylists to block known malicious sites."
- "Implement anti-virus solutions to mitigate malware and to stop malware from executing if a malicious hyperlink or attachment from an email is opened."
- "Implement file restriction policies that prevent malicious high risk file extensions e.g., [.]exe or [.]scr from being downloaded and executed. These types of files are unnecessary for daily operations and should be heavily restricted on standard business accounts."
- "Ensure that software applications are set to automatically update so that network software is always upgraded to the latest version. This helps to prevent malicious actors from exploiting vulnerabilities within an organization's network software."
- "Enable safe web browsing policies so that employees can only access websites that are needed for daily business operations. These policies also prevent users from visiting malicious websites that often contain malware that can either harvest user credentials or deploy additional malware to damage organizational systems."
The NSA says organizations should also train their users to recognize these types of attacks. "Implement user training on social engineering and phishing attacks," the report says.
Here is a direct link to the NSA press release:
QR Code Phishing on the Rise: The Alarming Findings From the Hoxhunt Challenge
As the digital landscape continues to evolve, so do the tactics of cybercriminals. The Hoxhunt Challenge, a comprehensive study conducted across 38 organizations spanning nine industries and 125 countries, has uncovered a disconcerting trend in the world of QR code phishing attacks.
The report reveals a startling 22% increase in the use of QR codes as a means to deliver malicious payloads in phishing attacks during the early weeks of October 2023. In this blog post, we will delve into the Hoxhunt Challenge's key findings and explore the implications of this rise in QR code phishing.
The Three Categories: Success, Miss and Click/Scan
One of the most revealing aspects of the Hoxhunt Challenge was the categorization of employee responses into three distinct groups: success, miss and click/scan. The statistics paint a concerning picture — only 36% of recipients successfully identified and reported the simulated phishing attack. This leaves a significant majority of organizations exposed to the ever-persistent threat of phishing.
Industries in the Spotlight
The study highlights significant disparities between different industries when it comes to susceptibility to QR code phishing. Notably, the retail industry had the highest miss rate, with only 2 in 10 employees successfully identifying and reporting suspicious QR codes. On the other hand, the legal and business services sector outperformed other industries in their ability to detect and report these threats.
The Role of Job Function and Engagement
Another key takeaway from the Hoxhunt Challenge was the influence of job function on employee susceptibility. Employees in communications roles were found to be 1.6 times more likely to engage with a QR code attack. In contrast, employees with legal responsibilities were the most vigilant in identifying and reporting suspicious QR codes.
This highlights the need for customized security awareness training programs designed to suit various job roles within organizations.
The report also underlines the pivotal role of employee engagement in mitigating the risk of falling victim to phishing attacks. Engaged employees, defined as those who are passionate about their jobs and actively invested in their responsibilities and the organization, had a miss rate of 40%. This stands in stark contrast to less-engaged employees, who exhibited a high miss rate of 90%.
It is clear that fostering a workplace culture that encourages engagement not only enhances overall productivity but also improves the organization's defense against cybersecurity threats.
The Value of Training Your Employees
The Hoxhunt Challenge's findings underscore the significance of onboarding processes and training your users. Employees who completed their training displayed better vigilance in identifying phishing emails.
The rise of QR code phishing attacks, as highlighted by the Hoxhunt Challenge, is a reminder of the ever-present threat that organizations face in the digital age. With cybercriminals using QR codes to thwart their attacks, organizations must take this alarming trend seriously.
To reduce their susceptibility to such attacks, you should consider implementing new-school security awareness training within your organization. KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Blog post with links:
Here is a more in-depth article about this at SlashNext:
Exploring The Malicious Usage of QR Codes:
What KnowBe4 Customers Say
"Stu, I'm inherently cautious about emails from people I don't know, but Monika L. just vouched for you so I am replying. I'm also copying our Security Officer, and my partner in crime, Alex Z. for his thoughts as well with respect to both the product itself & the support thereof.
I will say that we both operate very small teams for a pretty big org (1500 people or so, total of 4 techs on our 2 teams) and so the rollout of KnowBe4 took a lot longer than it should have. That is on us.
I will also say we love the product but have only dabbled in the training aspect, concentrating instead on boosting our anti-phishing efforts and that has gone extremely well.
And finally, I simply cannot say enough about Monika (and no money exchanged hands for this part). She is a first-rate representative of your company and has gone above and beyond to get us to where we are. This was especially true once we had signed up over a year ago because, as I said, we were quite bogged down in other initiatives and her persistence and diligence to get us moving forward really made a huge difference for us.
Put simply, I wish all of our vendors were as effective as you folks are. Thanks for reaching out, we appreciate it!"
- L.C., IS Director Information Systems
"Thank you for reaching out. Everything is going really well with PhishER. I have really enjoyed the ease of the process and my network admins that were doing our investigations before are ecstatic about how easy everything is.
It is interesting to see the percentage of emails marked as threats. Previously we did not have a reporting option and we would just anecdotally say that a majority was spam. Now I can see that almost half of our reported messages are actually threats!
I did some rough numbers to determine how much this platform is saving us in labor hours. With our old process, it equated to about 525 hrs a month. Using PhishER's data I was able to estimate that we would now only be at 79 hrs a month. A savings of 446 labor hours!"
- L.T., Cyber Security manager
- Russian Sandworm hackers breached 11 Ukrainian telcos since May:
- U.S. Treasury inks cybersecurity agreement with United Arab Emirates:
- Actively exploited Cisco 0-day with maximum 10 severity gives full network control:
- Make it real to users how their personal data may be compromised. This Hidden Google Feature Will Scan The Dark Web For Your Email Address:
- AI Chatbots Can Guess Your Personal Information From What You Type:
- North Korea's Kimsuky Threat Actor Doubles Down on Remote Desktop Control:
- India targets Microsoft, Amazon tech support scammers in nationwide crackdown:
- Walmart Jumps to Top Spot as the Most Impersonated Brand for Phishing Scams in Q3 2023:
- Iranian hackers lurked in Middle Eastern govt network for 8 months:
- Hackers target U.S. Facebook biz accounts with potent malware cocktail:
- Virtual Vaca #1 to Izmir, Türkiye in 8k HDR Drone Video:
- Virtual Vaca #2 to Futuristic Hangzhou, Zhejiang, China in 4k 60fps:
- The LockPicking Lawyer wrote: "My Viewer Broke The Law… Please Don't.":
- The world's first public two-car electric crash test by Mercedes-Benz:
- Tesla Model S Plaid violent high-speed spin-off at Nürburgring:
- How Counterfeit Money Actually Works. An insider tells his story:
- Tackling the Toughest Jobs in the Warehouse by Boston Dynamics:
- This Man Drives a Burger To Work:
- Cyclists chased by an ostrich. The funniest thing you'll see today. That bird can RUN!:
- 104-Year-Old Sets A World Skydiving Record at Skydive Chicago:
- See Where the Presidents of France Get Their Furniture:
- For Da Kids #1 — Stubborn Iguana Follows Owners To The Bathroom And Refuses To Leave:
- For Da Kids #2 — Dog Jumps On Counters Just Like his Cat Siblings:
- For Da Kids #3 — This is probably the world's smartest dog:
- For Da Kids #4 — Stray Dog Chases Woman's Car For Five Blocks Until She Finally Stops:
- For Da Kids #5 — Watch these incredible instances of animals coming to the rescue, showing compassion, and helping one another in times of need: