CyberheistNews Vol 13 #49 Top Four Security Tips for Cyber Safety on National Computer Security Day

Cyberheist News

CyberheistNews Vol 13 #49  |   December 5th, 2023

Top Four Security Tips for Cyber Safety on National Computer Security DayStu Sjouwerman SACP

To celebrate National Computer Security Day, which is recognized on November 30 every year, KnowBe4 encourages all IT and security professionals to train their workforce how to stay safe from cybersecurity threats as the organization's last line of defense.

It is also crucial to focus on building a strong security culture by educating employees about today's cyber threat landscape and how they can play a role in protecting the organization.

National Computer Security Day is one day aimed to raise awareness and remind society about the importance of protecting both company and personal computer resources in order to prevent the misuse of financial and personal data, and even identity theft. There are many measures that people can take to be more secure and we can all play a part in these efforts year-round.

We have compiled our top four tips for maximum ROI:

  • Implement phishing-resistant multi-factor authentication - Cybercriminals have become very good at tricking people into giving up their credentials, especially through fake login pages designed to look like authentic ones. Having an additional factor, such as a code generated from an application on a smartphone, or better yet, a phishing-resistant factor such as a USB security key to prove your identity, can go a long way toward keeping bad actors out of your accounts.
  • Patch software in a timely manner - Patching software and firmware can help not only keep cybercriminals from getting into computer systems, but can also keep them from doing more damage in the event they do get in. Do not just patch internet-connected devices, but also the ones inside the network.
  • Conduct security awareness training and simulated phishing tests - Educating employees about how to spot email phishing attacks, one of the most successful ways attackers can get into a network, is a critical part of any security program. Conduct training in short sessions on a regular basis, then allow them to test their skills with simulated phishing exercises that provide practice. Do not forget to also educate employees about safe password behaviors and other important security topics.
  • Create long and unique passwords or passphrases for each online account - Not only does the length and complexity of passwords matter, but the reuse of passwords is a significant security threat as well. In many breaches, cybercriminals steal usernames and passwords, knowing that they can try these on common websites using free tools, and since people reuse passwords often, the chances of taking over other accounts are good. Making sure passwords are unique and are never reused, especially between personal and work accounts, can help keep accounts secure.

Remember to stay safe today on National Computer Security Day, and every day! KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

[New Features] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, December 6, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Content Manager lets you easily customize your training content preferences including branding, adjustable passing score, test out and more
  • NEW! 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • Executive Reports helps you create, tailor and deliver advanced executive-level reports
  • See the fully automated user provisioning and onboarding

Find out how 65,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, December 6, @ 2:00 PM (ET)

Save My Spot!

The Israel-Hamas Conflict Is the Latest Example of Phishing Attacks Taking Advantage of Current Events

Using something as simple as an attachment with an Israel/Hamas-related filename seems to be all it takes for new social engineering attacks disguised as donation confirmations.

If you were to guess how many new attacks have been launched under the guise of the recent war, it's probably more than you think. According to security researchers at Check Point Software, they've discovered over 15,000 examples of attacks using this theming.

While not the most sophisticated email, it's the HTML attachment that is the clincher for this attack. According to Check Point, more than 50% of malicious attachments are HTML files. Opening the attachment reveals the following fake "locked" Excel document that requires the victim enter in their Microsoft 365 credentials:

The tactics used in this example are relatively unsophisticated and unimpressive to those that have been paying attention to the evolution of phishing attacks. But it goes to show that all it takes is a user that hasn't yet undergone new-school security awareness training. Therefore, when your users aren't vigilant when interacting with such attacks, they could fall for what appears to be one of the lamest modern phishing efforts I've seen.

Blog post with links and screen shots:

Combatting Rogue URL Tricks: Quickly Identify and Investigate the Latest Phishing Attacks

Everyone knows you shouldn't click phishy links. But are your end users prepared to quickly identify the trickiest tactics bad actors use before it's too late? Probably not.

Cybercriminals have moved beyond simple bait and switch domains. They're now employing a variety of advanced social engineering techniques, like sneaky rogue URLs, to entice your users into clicking and putting your network at risk.

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, for this webinar as he shows you how to become an expert phish finder. He'll dive deep into the latest techniques and defenses to share:

  • Real-life examples of advanced attacks using rogue digital certificates, homograph attacks and more
  • Safe forensic methods for examining URLs and other tactics for investigating phishy emails
  • Strategies for dissecting URLs on mobile without clicking
  • Simple ways you can train your users to scrutinize URLs and keep your network safe

Find out what you need to know to keep your network protected and safe from the latest phishing attacks!

Date/Time: Wednesday, December 13 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!

[FUN DEPT] We Asked GPT: "Explain Social Engineering in Gen-Z Slang"

It answered: "Aight, so social engineering is like when someone's tryna finesse you by playing mind games. They're not hacking your devices with code and stuff; they're hacking your brain, ya feel?

Imagine someone sliding into your DMs acting all friendly and stuff, but they're lowkey tryna scoop up your personal deets or get you to spill the tea on your passwords. They might hit you with a sob story, or act like they're from some legit company you vibe with, but it's all cap.

These folks might also flex some wild stories to get you to click on sketchy links, or even catfish you to get that trust level up. It's all about manipulation, getting you to drop your guard so they can snag what they want, like your login creds, cash, or control over your accounts.

Always double-check who you're dealing with and don't hand over your digits or private info just 'cause someone seems chill. That's how they getcha. Keep your personal biz on lockdown, and don't let these social engineers play you for a fool."

The Outstanding ROI of KnowBe4's Security Awareness Training Platform

One of your important responsibilities is to minimize expensive downtime and prevent data breaches.

Skyrocketing ransomware infections can shut down your network and exfiltrate data. Phishing is responsible for two‑thirds of ransomware infections.

That's why security awareness training has become a critical component of reducing risk and safeguarding digital assets. Learn how the KnowBe4 security awareness training platform can help you maximize your infosec budget and mitigate risk.

Download this ultimate budget ammo PDF that covers:

  • The ongoing problem of social engineering for organizations of all sizes
  • The risk and cost of doing nothing to secure the human element of your organization
  • The cost savings and risk reduction realized through using KnowBe4 security awareness training platform

Download Now:

Your KnowBe4 Fresh Content Updates from November 2023

Here is your quick update on new features/content that were added to the platform:

Google Chat Integration for Real-Time Coaching and Training Notification Delivery via SecurityCoach:

Callback Phishing: Email and Phone-Based Cyberattacks Training Module 10 minutes:
In a callback phishing attack, cybercriminals send emails that appear harmless at first glance and do not stand out due to suspicious links or attachments. However, this initial innocuous appearance is part of a planned multi-stage attack. In this training, learners will be shown an example of a callback phishing attack and learn what they can do to protect themselves and their organization. Learners will take a short quiz at the end.

Blog post with the monthly roundup: Your KnowBe4 Fresh Content Updates from November 2023:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [SCARY and SCARIER] Two things you want to see: 'Interesting' AI GitHub project, and will AI write ransomware? Yes:

PPS: [BUDGET AMMO] "AI: The new puppet master behind cyberattacks.":

Quotes of the Week  
"I think that's the single best piece of advice: Constantly think about how you could be doing things better and questioning yourself."
- Elon Musk - Entrepreneur (*1971)

"Once we believe in ourselves, we can risk curiosity, wonder, spontaneous delight, or any experience that reveals the human spirit."
- e. e. Cummings - Poet (1894 - 1962)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Users Fall for Smishing Attacks 6-10 Times More Than Email-Based Attacks

With organizations heavily focusing on protecting the corporate endpoint, cybercriminals are switching focus onto mobile devices where users are more prone to fall for their social engineering tactics.

We consume so much content from people you don't personally know that it's not part of your everyday process to stop and be critical of what's being presented to you. And that's exactly what cybercriminals are taking advantage of.

According to security vendor Zimperium's 2023 Global Mobile Threat Report, text-based phishing attacks are not only on the rise, but there are examples of how the cybercrime ecosystem is responding to the "need" and making it easier for such attacks to take place.

  • Between 2021 and 2022 (the time frame covered in the report), the total number of mobile malware samples detected increased by 51%
  • During 2022, an average of 77,000 unique malware samples were discovered each month
  • Zimperium detected an average of 2,000 pieces of "zero day" malware weekly
  • 80% of phishing sites now either target mobile devices specifically or are designed to function on both mobile and desktops

The reason why this growth is occurring is purely because mobile device users are far more likely to engage with attack content than if they were on a traditional endpoint. Think about the magnitude of the headline of this article; if a user was just 8% likely to click on a malicious link on an endpoint, they are as much as 80% likely to click on the same link when presented on a mobile device. That's a huge difference!

And with 73% of organizations that experienced a mobile-related compromise described it as a "major" breach, it means that these kinds of attacks are as serious as their endpoint-focused counterparts. And with the heightened risk of user engagement, it's absolutely necessary that users be enrolled in new-school security awareness training to educate them on the kinds of attacks and social engineering being used, how to spot it, and how to ensure they don't participate by engaging with the malicious content.

Blog post with links:

Hybrid War Between Hamas and Israel Spreads in Cyberspace

Of the activity that's been attributed so far in this war, a great deal of it has been traced to Iran.

GPS disruptions affecting commercial flights in the Middle East, particularly over Baghdad, Cairo, and Tel Aviv, have been attributed to jamming centered near Tehran. In a separate incident, the Iranian hacktivist group, Cyber Av3ngers, took control of a water booster station in Aliquippa, Pennsylvania, using a control system from the Israeli company Unitronics. This attack is part of a broader trend of targeting Unitronics PLCs used in various sectors, indicating a significant threat to the industrial control system supply chain.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged water utilities using Unitronics PLCs to implement risk mitigation measures. Cyber Av3ngers previously claimed attacks on Israeli utilities and falsely claimed to compromise the Dorad power station in Israel. The Pennsylvania attack suggests an expansion of the group's activities beyond Israel.

Another incident involved hacking a Unitronics PLC at a Pittsburgh brewery, displaying the same message as the Aliquippa water system hack. This suggests further attacks on US water systems, though these remain limited.

Researchers have also identified a new strain of SysJoker malware, primarily targeting Israeli entities and aligning with Hamas interests. Initially developed in C++, it has been rewritten in Rust and linked to previous attacks against Israeli infrastructure. This malware is associated with a new APT group called "WildCard," which engages in social engineering and abuses legitimate cloud services, targeting Israeli sectors like education, IT infrastructure, and possibly electric power generation.

What KnowBe4 Customers Say

"Stu – Good day! My name is Jessi. I am the Director of IT here. We are an internet provider, nice to meet you over email.

I wanted to take a minute and share with you what a fabulous job our Customer Success Manager, Elise B., is doing for us. Every month she meets with us and assists with our Awareness Training, Phishing Campaigns, and overall security posture – all in a 30 min meeting. Her positivity and knowledge of the platform is so appreciated.

I value the role she provides because without her, I am not sure we would get the maximum benefit of the partnership. Anyhow, I just wanted to pass that along and let you know how much we value the KnowBe4 partnership. Happy Holidays!"

- J.B., Director of IT

"Stu, I wanted to email you about one of your employees Ryan T. He has been an absolute pleasure to work with and goes above and beyond the call of duty. He has been on our account a short while and is very responsive, friendly, and helpful.

I just wanted to reach out to you personally and let him know he is a great asset to your team at KnowBe4!"

- D.R., Technical Accounting Manager

The 10 Interesting News Items This Week
  1. Ukrainian ransomware gang behind high-profile attacks dismantled:

  2. CISA Warns of Unitronics PLC Exploitation Following Water Utility Hack:

  3. Woman Gets Stood Up On A Date, Finds Out The Restaurant Tricked Her Into Eating Dinner Alone:

  4. Researchers say Russia-linked ransomware group has raked in more than $100 million:

  5. [Opinion] The U.S. Needs to Follow Germany's Attack-Detection Mandate:

  6. OpenAI's Custom Chatbots Are Leaking Their Secrets:

  7. Ex-worker phished former employer to illegally hack network and steal data:

  8. Russian developer of Trickbot malware pleads guilty, faces 35-year sentence:

  9. Latest Draft of UN Cybercrime Treaty Is A Big Step Backward:

  10. Coinbase CEO: "Future AI 'Agents' Will Transact in Crypto." What could possibly go wrong?:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews