CyberheistNews Vol 13 #47 [Heads Up] FBI Warning: How Callback Phishing Makes It Past All Your Filters

Cyberheist News

CyberheistNews Vol 13 #47  |   November 21st, 2023

[Heads Up] FBI Warning: How Callback Phishing Makes It Past All Your FiltersStu Sjouwerman SACP

The FBI has recently issued an advisory about the increasing threat of callback phishing, a sophisticated cyberattack tactic. Unlike traditional phishing, callback phishing doesn't include a malicious link in the email. Instead, it features a prominent phone number, urging the recipient to call for an urgent matter.

The email typically contains a convincing phishing message, like a fraudulent charge, designed to alarm the user into calling the number provided.

These phishing emails are usually composed of a single, unclickable picture, displaying the phone number multiple times to encourage a callback. When victims call, they are often directed to an overseas call center where operators are handling multiple callback scams.

In cases linked to ransomware groups, the call center is specifically prepared for the scam, aiming to install ransomware or other malicious software on the victim's computer.

Callback Phishing Particularly Challenging to Intercept

The method is increasingly popular among cybercriminals because it's harder for anti-phishing content filters to detect and block. These filters, which typically analyze text and URLs for malicious content, struggle with callback phishing as the scam is embedded in a picture file.

Optical Character Recognition (OCR) capabilities are necessary for filters to read text in these images. But even then, anti-phishing filters can't determine the nature of the phone number provided, lacking the ability to call or reference a database of malicious numbers. This limitation makes callback phishing particularly challenging to intercept.

The best defense against callback phishing is security awareness training. Users should be wary of emails that arrive unexpectedly, ask them to perform unfamiliar actions, contain only a picture file, or repeatedly display a phone number without any clickable links.

Blog post with links:

[New Features] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, December 6, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Content Manager lets you easily customize your training content preferences including branding, adjustable passing score, test out and more
  • NEW! 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • Executive Reports helps you create, tailor and deliver advanced executive-level reports
  • See the fully automated user provisioning and onboarding

Find out how 65,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, December 6, @ 2:00 PM (ET)

Save My Spot!

AI Disinformation Exposed: A Fake 'Tom Cruise' Attacks the Olympics

Using a page straight out of the KGB playbook, a new AI-driven disinformation attack has been unleashed. The latest victim of this disturbing trend is none other than the International Olympic Committee (IOC). Here's more about how AI was misused to create a fake news campaign targeting one of the most well-known sporting bodies in the world.

A "documentary" series, fabricated using advanced AI, featured the voice of Hollywood star Tom Cruise. However, it was all an illusion. The voice, the allegations, the purported documentary titled "Olympics Has Fallen" – none of it was real.

This series alleged corruption at the heart of the IOC, a claim that has since been debunked but not before causing significant ripples.

What makes this incident particularly alarming is the sophisticated use of AI to clone celebrity voices. This is not just about the IOC or the Olympics; it's a glaring example of the ethical and legal challenges posed by AI. The misuse of the voices of celebrities like Tom Cruise, Tom Hanks, and Scarlett Johansson shows a liability of the entertainment industry — the unauthorized and unethical use of AI for social engineering.

The attack surfaced date coincided with the IOC's suspension of the National Olympic Committee of Russia over geopolitical tensions, particularly the recognition of regional sports organizations in disputed Ukrainian territories. The timing of this disinformation campaign is an orchestrated effort to leverage high-stakes global events to influence public opinion.

For all of us today it's another reminder to stay vigilant, develop a healthy sense of skepticism, and validate the source and truth of what we see online, especially when it sounds controversial and/or sensational. It's critical to develop a strong security culture.

Blog post with links:

[Free Phish Alert Button] Give Your Employees a Safe Way to Report Phishing Attacks with One Click!

Do your users know what to do when they receive a suspicious email?

Should they call the help desk, or forward it? Should they forward to IT including all headers? Delete and not report it, forfeiting a possible early warning?

KnowBe4's Phish Alert add-in button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click! And now, it supports Outlook Mobile!

Phish Alert Button Benefits:

  • Reinforces your organization's security culture
  • Users can report suspicious emails with just one click
  • Incident Response gets early phishing alerts from users, creating a network of "sensors"
  • Email is deleted from the user's inbox to prevent future exposure
  • Easy deployment via MSI file for Outlook, and G Suite deployment for Gmail (Chrome)

Get the Phish Alert Button Now:

How to Help 'Frequent Clickers' Become More Mindful

Within our organizations, there are those employees who consistently exhibit mindfulness, avoiding every phishing attempt. Yet, there are also those users who, despite repeated education efforts, habitually fall prey to phishing emails and simulations, neglecting the tell-tale signs of social engineering. These individuals are known as "frequent clickers."

A question we often encounter is how to increase the mindfulness of these frequent clickers so they become less susceptible to phishing tactics. Transforming them into the always mindful "never clickers" is a challenge, but we do have some insights and approaches to offer.

In the context of cybersecurity and preventing risky behaviors such as clicking on phishing emails, "mindfulness" refers to a state of active, open attention to the present. More specifically, in this scenario, mindfulness can be broken down into:

  • Awareness: The individual is fully aware of their actions and the potential dangers that come with every email they encounter, demonstrating attentiveness to the unique elements of each communication.
  • Recognition: The ability to recognize tell-tale signs of phishing, such as suspicious links, unfamiliar sender addresses, and urgent or threatening language that requests personal information.
  • Focus: A mindful individual maintains focus and doesn't act on autopilot when navigating emails. They take the time to scrutinize each message rather than quickly clicking through without considering the consequences.
  • Intentionality: Actions are taken with purpose and intention. The individual deliberately chooses whether or not to engage with an email based on their assessment, rather than reacting impulsively.
  • Responsiveness: Instead of reactively clicking on links or attachments, a mindful person is responsive to training and best practices, using these tools as a guide for secure online behavior.

In essence, in the context of cybersecurity, mindfulness is the deliberate and attentive management of one's interactions with digital communications, with the intention of preventing security breaches and maintaining informational integrity.

[CONTINUED] Blog post with links:

Watch KnowBe4's Original Series, 'The Inside Man' Security Awareness Training Videos

Looking for some binge-worthy watching? We've got just what you're looking for.

"The Inside Man" is an award-winning KnowBe4 Original Series that educates and entertains with episodes that tie security awareness principles to key cybersecurity best practices.

From social engineering, CEO fraud and physical security, to social media threats, phishing and password theft, "The Inside Man" Season 5 teaches your users real-world applications that make learning about smarter security decisions engaging and fun.

When We Last Left Our Heroes…

Season 5 picks up straight after the emotional finale of Season 4. In Romania a ruthless corporate lawyer is securing a vast Gothic castle for an unknown client.

Meanwhile the Good Shepherd team monitors the infiltration of a "has-been" social media company, "The Village," and the transatlantic security services are forced out of the shadows to make an offer to Mark and his team at Good Shepherd Security that will pit the team against an old adversary and rewrite history.

Watch Now:

Quick News Update

Great news! KnowBe4 Is Now FedRAMP® (Federal Risk and Authorization Management Program) Moderate Authorized. The FedRAMP Program Management Office has completed the review of KnowBe4's KMSAT + PhishER authorization package and concluded FedRAMP authorization.

Here is the Press Release:

Send this article By KnowBe4's HR Chief to your own HR Team - "Employment Scams On The Rise: What Can HR Do To Mitigate Them. How Security Awareness Training Is Evolving":

You know you've made it when articles like this show up - "When Good Security Awareness Programs Go Wrong":

"I spent a weekend with Amazon's free AI courses, and highly recommend you do too.":

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Through a strategic partnership, Egress and KnowBe4 harness their collective expertise to deliver cutting-edge email security and training solutions:

Quotes of the Week  
"Princes and governments are far more dangerous than other elements within society":
- Niccolo Machiavelli (1469 - 1527)

"Nearly all men can stand adversity, but if you want to test a man's character, give him power."
- Abraham Lincoln (1809 - 1865)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

A Fraudulent Donation Scam

Scammers are exploiting the Israel-Hamas war by soliciting fraudulent donations for Palestinian children, according to Abnormal Security. The crooks are sending phishing emails urging recipients to send cryptocurrency payments to help provide water, medical care and Internet access for children in the region.

"After asking for contributions ranging from $100 to $5,000, the attacker explains that donations can be made using cryptocurrency and provides wallet addresses for Bitcoin, Litecoin, and Ethereum—three of the most popular digital currencies," the researchers write.

"To further increase legitimacy and create one final opportunity to manipulate the recipients, three links to recent news articles discussing the impact of the conflict on children in the region are included at the bottom of the email."

Criminals frequently attempt to take advantage of world tragedies to launch social engineering attacks. "This attack is a perfect example of cybercriminals attempting to exploit the powerful emotional response triggered by humanitarian crises," the researchers write.

"During natural disasters, national tragedies, or global emergencies, people's need to act and desire to contribute to relief efforts are heightened—making them more susceptible to deception. Cyberattackers often take advantage of this vulnerability by weaving compelling narratives with requests for donations that appeal to recipients' sympathy.

"This manipulation is quintessential social engineering, as it preys on the target's goodwill and altruistic tendencies."

Abnormal Security notes that these phishing emails have a higher likelihood of bypassing security filters since they don't contain any malicious links or attachments.

"Social engineering attacks often involve manipulation and deception, exploiting human psychology rather than relying solely on technical vulnerabilities," the researchers write. "SEGs have limitations in analyzing and understanding the subtleties of language and human behavior, making it difficult to distinguish between genuine and nefarious intent. Additionally, the email contains no payloads and lacks obvious misspellings or grammatical errors.

"Because this attack is entirely text-based and has no clear indicators of compromise such as a phishing link or harmful attachment, it would almost certainly bypass a SEG."

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Abnormal Security has the story:

AI-Manipulated Media and Their Potential for Deception

Researchers at Pindrop have published a report looking at consumer interactions with AI-generated deepfakes and voice clones.

"Consumers are most likely to encounter deepfakes and voice clones on social media," the researchers write. "The top four responses for both categories were YouTube, TikTok, Instagram, and Facebook. You will note the bias toward video on these platforms as YouTube and TikTok encounters were materially higher.

"Granted all of these platforms have video, but two use the media exclusively. Movies, the news media, and television followed closely behind Facebook and Instagram."

Respondents were more likely to come into contact with a video deepfake on social media than a voice clone. "Deepfakes experience exceeds voice clones for all top media sources which suggests that consumers were more likely to experience deepfakes across multiple channels," the researchers write.

"It also may reveal that many people know of voice clones but have not personally encountered them. Consumers were more likely to encounter voice clones on audio channels such as Spotify and phone calls. They were also significantly more likely to have created their own voice clone."

The survey also found that only 54.6% of respondents in the U.S. knew what a deepfake was, and 63.6% were aware of voice clones. "Deepfake and voice clone awareness declines gradually as age cohorts rise up to 60 years, and then falls off precipitously," the researchers write.

"The decline is more extreme for deepfakes. While the difference between the 18-29 and 45-60 cohorts is just over four percentage points for voice clones, it is nearly 10 percentage points for deepfakes. Similarly, deepfake awareness drops by twenty-four percentage points between the 45-60 and the 61+ age cohorts, while it is only about ten percentage points for voice clones."

Pindrop has the story:

What KnowBe4 Customers Say

"Hi Stu, Thanks for contacting me. I can confirm I am indeed a happy camper. While it's early in the journey, I'm very happy with the platform so far. And I've received great (and proactive!) support from both Miesh B. and Breon W. so far. Do please thank them for their continued support."

- H.J., Security Awareness PMO

"Hi Stu, nice to e-meet you! I admittedly checked with my CSM, Crystal, to make sure this was legit. So, I would say the training is working!

Thanks for checking in. That's pretty classy on your part. We've experienced some great feedback from our crew (about 20 of us) AND much higher cyber awareness since we started with your company this summer. We recently made our phishing campaign more advanced, so we're getting some clicks which is good from our POV – this way folks can learn and identify!

Big shout out to my CSM Crystal, who has educated me (as the facilitator for my company) and set us up for success with the program."

- B.H., Office Manager/Executive Admin

The 10 Interesting News Items This Week
  1. OUCH. Denmark Hit By GRU With Largest Critical Energy Infrastructure Cyberattack on Record:

  2. 'Hi Mum, it's me': how online scammers learnt to prey on our (UK) emotions:

  3. The NSA Seems Pretty Stressed About the Threat of Chinese Hackers in U.S. Critical Infrastructure:

  4. The rise of [.]ai: cyber criminals (and Anguilla) look to profit:

  5. New York Plans Cyber Rules for Hospitals:

  6. Israel warns of BiBi wiper attacks targeting Linux and Windows:

  7. Crooks leverage Google quiz messages as part of bitcoin scam:

  8. CISA releases roadmap to guide its AI efforts:

  9. FBI and CISA warn of opportunistic Rhysida ransomware attacks:

  10. FBI and CISA Release Advisory on Ransomware Gang (Scattered Spider) Behind the Recent MGM Attack:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews