CyberheistNews Vol 14 #05 Myth of Massive Data Breach Busted: Big Headlines Mask a Minor Threat

Cyberheist News

CyberheistNews Vol 14 #05  |   January 30th, 2024

Myth of Massive Data Breach Busted: Big Headlines Mask a Minor ThreatStu Sjouwerman SACP

Ok, I'll admit it, I was swept up in the moment last week and wrote a short blog post that more or less summarized the tsunami of news about that huge data breach initially reported by Cybernews. They called it the Mother of all Breaches (MOAB), and a seismic event. Hold your horses, not so fast!

This discovery sure is large, but there's way more to it than that, and it is certainly not unique. I decided to do some research and check Troy Hunt's X feed. We have worked for years with Troy, and he's the world's most prominent large data breach expert. His perspective puts this event back in its proper context. Here are a few points that he made:

  • Interesting find. Collecting and storing this data is now trivial so not a big surprise to see someone screw up their permissions and (re)leak it all.
  • The term "records" is often used to describe the total number of rows in the DB and frequently doesn't correlate to "unique email addresses." You can have a *massive* incident with a relatively small number of unique email addresses.
  • Take both record numbers and terabytes of data with a grain of salt. They make for great headlines, but they're a superset of the volume of genuinely impactful data.
  • There are *many* stashes of breaches floating around ranging from personal collections to Telegram channels to data people publish to public forums where they're easily downloadable. That one of these stashes was perhaps inadvertently left open doesn't really have any impact.
  • This reporting is just getting stupid: "Big brands caught in 'mother of all breaches'". These are breaches that date back as far as more than a decade (Adobe), and they're now in a news headline despite them already being so broadly distributed.

So, the upshot is that yes, there is a large risk of password compromise, and a large attack surface that needs to be mitigated. But nothing really new here folks, you need phishing-resistant MFA and trained users.

Blog post with links, Update and the original copy:

[New Features] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, February 7, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Content Manager lets you easily customize your training content preferences including branding, adjustable passing score, test out and more
  • NEW! 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • Executive Reports helps you create, tailor and deliver advanced executive-level reports
  • See the fully automated user provisioning and onboarding

Find out how 65,000+ organizations have mobilized their end users as their human firewall.

Date/Time: Wednesday, February 7, @ 2:00 PM (ET)

Save My Spot!

Facebook Phishing Scams Target Concerned Friends and Family

BleepingComputer describes a phishing scam that's been running rampant on Facebook for the past several months, in which threat actors use hacked accounts to post links to phony articles implying that someone has been killed in an accident.

The Facebook posts have captions like "I can't believe he is gone," accompanied by thumbnails of news articles involving car accidents or crime scenes. Users are more likely to click on the links since they've been posted by a friend's account. The links lead to phishing sites that ask users to enter their Facebook credentials in order to view the videos.

"To entice a visitor to enter their password, they show what appears to be a blurred-out video in the background, which is simply an image downloaded from Discord," BleepingComputer says.

"If you enter your Facebook credentials, the threat actors will steal them, and the site will redirect you to Google. While it is not known what the stolen credentials are used for, the threat actors likely use them further to promote the same phishing posts through the hacked accounts....This phishing scam is widely spread, with BleepingComputer seeing numerous posts created each day by friends and family who unwittingly had their accounts hacked through the same scam."

BleepingComputer notes that enabling multi-factor authentication will give your Facebook account an extra layer of protection against phishing attacks.

"As this phishing attack does not attempt to steal two-factor authentication (2FA) tokens, it is strongly advised that Facebook users enable 2FA to prevent their accounts from being accessed if they fall for a phishing scam," BleepingComputer says.

"Once enabled, Facebook will prompt you to enter a unique one-time passcode each time your credentials are used to log in to the site from an unknown location. As only you will have access to these codes, even if your credentials are stolen, they cannot log in."

It's worth keeping in mind, however, that some phishing attacks will attempt to trick you into entering a 2FA code as well.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

Identify Weak User Passwords in Your Organization With the Newly Enhanced Weak Password Test

Cybercriminals never stop looking for ways to hack into your network, but if your users' passwords can be guessed, they've made the bad actors' jobs that much easier.

Verizon's Data Breach Investigations Report showed that 81% of hacking-related breaches use either stolen or weak passwords. The Weak Password Test (WPT) is a free tool to help IT administrators know which users have passwords that are easily guessed or susceptible to brute force attacks, allowing them to take action toward protecting their organization.

Weak Password Test checks the Active Directory for several types of weak password-related threats and generates a report of users with weak passwords.

Here's how Weak Password Test works:

  • Connects to Active Directory to retrieve password table
  • Tests against 10 types of weak password related threats
  • Displays which users failed and why
  • Does not display or store the actual passwords
  • Just download, install and run. Results in a few minutes!

Don't let weak passwords be the downfall of your network security. Take advantage of KnowBe4's Weak Password Test and gain invaluable insights into the strength of your password protocols.

Download Now:

New Deepfake Video Scam Has "Taylor Swift" Offering Free French Cookware

A new wave of ads utilizing video of well-known celebrities seemingly promoting video games, fake giveaways, and more are starting to popup, and fans are falling for this trap.

McAfee posted a tweet on X earlier this month about how their latest technology exposes deepfake audio and video scams for their true nature. They offer a copy of the video that shows what looks like Taylor Swift talking about giving away Le Creuset cookware sets.

What makes the scam so convincing to the untrained and unprepared eye is that it starts with Taylor talking (although the video doesn't match with the words she's "saying") and quickly shifts to video of a surplus of cookware.

The use of deepfake audio is the key here. The combination of a convincing audio track and mixing in some video of "Taylor" speaking is apparently all that's needed to trick would-be victims.

The crux of a good scam is the "illusion of credibility" — often attained through person, domain, or brand impersonation. In the Taylor Swift scam, it's the deepfake voice and a bit of video.

Regardless of the techniques or technologies used, individuals seeing such content from any celebrity or well-known figure should quickly realize that Taylor Swift doesn't want to give everyone a Dutch oven.

The old adage "if it looks too good to be true, it usually isn't," stands true here. Scammers are going to continue to hone and improve their craft using deepfaked audio and really good video to trick their victims. We're already starting to see this trend this year.

So, organizations looking to protect themselves from cyber attacks or scams aimed at businesses need to ensure their employees are fully prepared by enrolling them in new-school security awareness training.

We have a phishing test template ready for you in the console ready to send to your users: "Taylor Swift Partners With Le Creuset For Cookware Giveaway! (Link)"

Blog post with links:

What Your Password Policy Should Be

Reports of the death of passwords have been greatly exaggerated.

You know passwords are still a necessary evil, despite recurring predictions that some new credentialing architecture will take over in just a few years' time. Until then, your goal is to craft password policies that mitigate as much risk as possible for both your employees and your organizations.

In this e-book, Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, details the pros and cons of password use. Roger explains how the implementation of supporting frameworks, such as MFA and password managers, can help you keep your organization locked down.

From common password attacks to what to put in place to stop them, he covers it all! Download this e-book to learn:

  • What tactics bad actors use to hack passwords (and how to avoid them)
  • The pros and cons of password managers and multi-factor authentication and how they impact your risk
  • How to craft a secure password policy that addresses the most common methods of password attack
  • How to empower your end users to become your best last line of defense

Download Now:

Houston, We Have a 2024 China Problem

Russia is not the only global problem that democracy has to deal with. The Chinese regime ran large influence campaigns, attempting mass social engineering in the U.S. 2022 midterm elections, according to a declassified intelligence report and multiple private-sector investigations. We can expect the same in 2024.

The intelligence report has shed light on the Chinese regime's involvement in the U.S. 2022 midterm elections, where they reportedly used various tactics to influence the outcome.

According to the findings, these tactics ranged from retaliation against specific U.S. lawmakers to promoting divisive content online, and even impersonating American voters. This multifaceted strategy aimed to sway public opinion and election results in favor of candidates who might support China's policies, regardless of their political party.

Sam Kessler, a geopolitical adviser, interprets these efforts as a continuation of China's broad strategy to undermine democratic efforts abroad and to divide U.S. society over contentious social issues. He suggested that these actions are part of a bigger picture, indicating the China Communist Party's willingness to employ such tactics to influence U.S. elections and policies that promote democracy internationally.

Furthermore, major tech companies have also reported on China's influence operations. Meta revealed the removal of thousands of accounts linked to China, which were involved in the world's largest online influence operation aimed at the U.S. elections.

This large-scale operation targeted not only the U.S. but also key allies with disinformation campaigns across more than 50 digital platforms.

Moreover, Microsoft's findings corroborate these influence operations, noting that China-based hackers took a page out of the KGB playbook and used artificial intelligence to create and disseminate divisive content, masquerading as American voters during the midterm elections.

These reports suggest a calculated approach by the CCP, leveraging digital platforms to shape public opinion and election outcomes, a strategy described by Casey Fleming, CEO of BlackOps Partners, as part of China's wider hybrid warfare tactics aimed at weakening its primary adversary, the U.S.

As the U.S. moves closer to the 2024 presidential elections, experts like Kessler anticipate an escalation in foreign influence operations, highlighting the need for awareness and security training against such subversive activities.

The problem is not limited to America. Recently, Europe also recognizes it has a China problem. This week, the European Union has released a raft of proposals to boost "economic security." A Wall Street opinion piece stated: "A variety of business and economic controversies in recent years exposed how far behind Europe has fallen in grappling with the security implications of trade and investment flows with a large, ideologically antagonistic partner."

They make the point that Beijing is launching a subtle but most effective assault on European political culture.

"Educate and inform the whole mass of the people... They are the only sure reliance for the preservation of our liberty." - Thomas Jefferson

Blog post with links:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [BUDGET AMMO] From Yours Truly in Forbes: "Deepfake Phishing: The Dangerous New Face Of Cybercrime":

PPS: Your KnowBe4 Compliance Plus Fresh Content Updates from January 2024:

Quotes of the Week  
"How often have I said to you that when you have eliminated the impossible, whatever remains, however improbable, must be the truth?"
- Sherlock Holmes

"It's the constant and determined effort that breaks down all resistance, sweeps away all obstacles."
- Claude M. Bristol - Writer (1891 - 1951)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Cisco: 'Ransomware Spiked in Q4 2023'

Cisco Talos observed a "significant increase" in ransomware activity in the fourth quarter of 2023: "Ransomware, including pre-ransomware activity, was the top-observed threat in the fourth quarter of 2023, accounting for 28 percent of all Cisco Talos Incident Response engagements.

"That is a 17 percent increase from Q3. Talos IR observed multiple ransomware operators in the wild last quarter, involving Play, Cactus, BlackSuit, and NoEscape. In one case, Talos IR responded to a Play ransomware attack for the first time ever."

Read the Cisco blog here:

New Evasive Phishing Technique 'Legacy URL Reputation Evasion' (LURE)

Researchers at Menlo Security observed a 198% increase in browser-based phishing attacks over the past six months.

"Attackers have developed tools to craft high quality large scale attacks that target the browser," the researchers write. "Cybercrime tools, such as phish kits (PhaaS) and ransomware-as-a-service kits (RaaS), have simplified the process of launching sophisticated attacks.

"These kits provide attackers with pre-made templates, scripts, and resources lowering the bar to craft and deploy their malicious campaigns. Tools like this also make it easier for rudimentary attackers to create convincing and fraudulent websites or emails for the purpose of stealing sensitive information from its intended victims."

The report highlights a type of phishing attack that uses trusted URLs to bypass security filters.

"Legacy URL Reputation Evasion (LURE) is a growing evasive phishing technique that specifically targets browsers to bypass web categorization of commonly deployed security tools like secure web gateways and URL reputation filters," the researchers write.

"Threat actors capitalize on this technique by hijacking trusted sites, or by creating a new site and leaving it dormant until its URL/domain is trusted. They then use these URLs and destination sites to launch phishing attacks. This has been a consistent trend during 2023.

"During such an attack, the user opens the web URL believing it to be authentic. Because the URL is in a safe category, it is neither blocked by the SWG, nor URL filters. The user is subsequently compromised, either with malware or because they are induced to enter their credentials."

New-school security awareness training can give your organization an essential layer of defense against phishing and other social engineering attacks.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

What KnowBe4 Customers Say

"Good Afternoon, the purpose of my email is to share real-time feedback as a new client, regarding KnowBe4's platform and our experience working with our CSM Christian M. I will start by saying our experience navigating the KB4 console has been incredible to say the least. It was an easy and seamless process with onboarding and transitioning from our old platform this past December.

Our training managers and users have expressed positive feedback regarding layout, video quality, content quality and reporting. Second, I would like to express gratitude regarding the quality of service I have received from our Customer Success Manager- Christian M. Our greatest challenge with our last platform was customer service and led us to our decision to transition to KnowBe4.

I had no inclination during onboarding that we would receive such high quality service. Christian is consistent and dedicated with every interaction. He is vigilant in ensuring we have all of our needs being met at all times. Christian has redesigned my perspective of service quality through his democratic approach and I would like to acknowledge how important he has been during this experience."

I look forward to continuing the relationship with Christian and KnowBe4."

- S.S., MBA, IT Security

The 10 Interesting News Items This Week
  1. CISA's Easterly the target of 'harrowing' swatting incident:

  2. SEC confirms that their X account was hacked with a SIM swapping attack:

  3. SolarWinds Seeks Dismissal of 'Unfounded' SEC Cybersecurity Suit:

  4. [GOOD LUCK WITH THAT] Biden Aims to Stop Countries From Exploiting Americans' Data for Blackmail, Espionage:

  5. [Real World Deep Fake] Voter Suppression 'Biden' Robocall Complaint to Election Law Unit:

  6. The Biden Deepfake Robocall Is Only the Beginning:

  7. GCHQ's NCSC warns of 'realistic possibility' AI will help state-backed ransomware evade detection:

  8. The life and times of Cozy Bear, the Russian hackers who just hit Microsoft and HPE:

  9. Microsoft says Russian hackers also targeted other organizations:

  10. Symantec's Threat Hunter Team: '2024 look at the ransomware threat landscape':

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews