CyberheistNews Vol 14 #08 Browser-Based Phishing Attacks Increase 198%, With Evasive Attacks Increasing 206%

Cyberheist News

CyberheistNews Vol 14 #08  |   February 20th, 2024

Browser-Based Phishing Attacks Increase 198%, With Evasive Attacks Increasing 206%Stu Sjouwerman SACP

A new report shows massive increases in browser attacks in the second half of 2023, with over 31,000 threats specifically designed to bypass security solution detection.

I spend a lot of time on this blog talking about phishing, social engineering, smishing, deepfakes and more — all topics centered around attack techniques designed to interact and fool a user.

But when cybercriminals target browser users, there's an entirely different level of trust. With email, there's a level of expectation around how an email should look, where it's from and what it should contain.

But when it's a browser, all it takes is a convincing webpage or the misuse of an exploit to potentially invoke and start off an attack. And according to security vendor Menlo Security's State of Browser Security report, these browser-based phishing attacks are very much on the rise — remember, when we're talking about 200% increases.

That's huge.

Menlo Security detected over 550,000 browser-based attacks in 2023 — something organizations typically have little visibility into. And the use of evasive techniques is also growing. Menlo provides the example of Legacy URL Reputation Evasion (LURE), where URLs are either hijacked trusted sites, or domains left dormant until their URL reputation builds over time.

These types of evasive techniques are so powerful that Menlo detected over 11,000 zero-hour browser-based phishing attacks that, "exhibited no signature or digital breadcrumb, meaning no existing SWG or endpoint tool was able to detect and block these attacks."

In addition to considering security solutions specifically designed to protect against browser-based attacks, also account for the phishing aspect. This is where users are mistakenly led to engage with the attack by providing creds, clicking links and launching executables.

By educating your users with security awareness training about these kinds of attacks, the effectiveness of the attack diminishes as users stop interacting, thus neutralizing the power of browser-based attacks.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

RIP Malicious Emails With KnowBe4's PhishER Plus

RIP malicious emails out of your user's mailbox with KnowBe4's PhishER Plus!

It's time to supercharge your phishing defenses using these two powerful features: 1) automatically blocking malicious emails that your filters miss, and 2) being able to RIP malicious emails before your users click on them.

With PhishER Plus you can:

  • Use crowdsourced intelligence from more than 13 million users to block known threats before you're even aware of them
  • Automatically isolate and "rip" malicious emails from your users' inboxes that have bypassed mail filters
  • Simplify your workflow by analyzing links and attachments from a single console with the CrowdStrike Falcon Sandbox integration
  • Leverage the expertise of the KnowBe4 Threat Research Lab to analyze tens of thousands of malicious emails reported by users around the globe per day
  • Automate message prioritization by rules you set and cut through your Incident Response inbox noise to respond to the most dangerous threats quickly

Join us for a live 30-minute demo of PhishER Plus, the #1 Leader in the G2 Grid Report for SOAR Software, to see it in action.

Date/Time: TOMORROW, Wednesday, February 21, @ 2:00 PM (ET)

Save My Spot:

Phishing Campaign Exploits Remote Desktop Software

A phishing campaign is attempting to trick users into downloading remote monitoring and management (RMM) software like AnyDesk, Atera and Splashtop, according to researchers at Malwarebytes.

While these tools are legitimate, they can be exploited by threat actors to carry out many of the same functions as malware. These tools may also be less likely to be flagged as malicious by antivirus software.

"The modus operandi of these threat actors involves deceiving employees through sophisticated scams and deceptive online advertisements," the researchers write. "Unsuspecting employees, misled by these tactics, may inadvertently invite these criminals into their systems.

"By convincing employees to download and run these seemingly benign RMM applications under the guise of fixing non-existent issues, these fraudsters gain unfettered access to the company's network."

The scammers trick users into visiting a phishing site that impersonates the user's bank. "We believe victims are first targeted and then contacted via phishing emails or text messages (smishing) based on their position in the company," the researchers write.

"Attackers could trick them by sending them to a typical phishing page or making them download malware, all of which are good options. However, they are instead playing the long game where they can interact with their victims.

"Users are directed to newly registered websites that mimic their financial institution. In order to get support, they need to download remote desktop software disguised as a 'live chat application.'"

The phony live chat application is actually a version of the AnyDesk remote desktop software. "In this instance they are using a legitimate (although outdated) AnyDesk executable which would not be detected as malicious by security products," Malwarebytes says. "Running the program will show a code that you can give to the person trying to assist you. This can allow an attacker to gain control of the machine and perform actions that look like they came directly from the user."

Blog post with links:

Making the Return on Investment (ROI) Case for Security Awareness Training

As an InfoSec professional, one of your many important responsibilities is to minimize expensive downtime and prevent data breaches. Skyrocketing ransomware infections can shut down your network and exfiltrate data.

Phishing is responsible for two‑thirds of ransomware infections. But how do you convey the value and return on investment (ROI) of security awareness training to your CFO and leaders?

Join us for this webinar where Joanna Huisman, SVP of Strategic Insights and Research at KnowBe4, helps you understand the value and articulate the return on investment that security awareness training (SAT) programs can deliver.

You'll learn:

  • Why the ongoing problem of social engineering is problematic for organizations of all sizes
  • The risk and cost of doing nothing to secure the human element
  • The cost savings and risk reduction realized through using KnowBe4's security awareness training platform
  • Why training your users ultimately saves you time and money while protecting your organization

Having a robust and effective SAT program doesn't have to be a strategic or financial challenge. Learn more about the value of preparedness, and even earn continuing professional education (CPE) credit for attending!

Date/Time: Wednesday, February 28 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!

Security Teams Spend 71 Hours Responding to Every One Hour in a Cyber Attack

New data sheds light on what kinds of cyber attacks are targeting your cybersecurity team, what it's costing them, why it's taking so much time to fix, and where you should focus resources.

Barracuda's Cybernomics 101 report provides a lot of insight into the current economics of cyber attacks. According to the report:

  • 62% of respondents stated cyber attacks are becoming more sophisticated
  • 55% said those attacks are taking more time to investigate and attempt to mitigate
  • 53% of respondents agreed that cyber attacks are becoming more targeted

The average largest ransom any organization paid is $1.38 million, with an average cost of $5.34 million to respond to compromises!

What's staggering is the average proficient hacker takes just six hours to exploit a vulnerability while IT and security teams take an average of 427 hours "investigating, cleaning, fixing, and documenting" successful attacks. That's 71 good guy hours for every 1 bad actor hour.

So, cleanup isn't a profitable business strategy. Then what about stopping attacks? According to the report, the top three initial attacks are:

  • DDOS (experienced by 52% of organizations)
  • Phishing / Social Engineering (48%)
  • Credential Theft (41%)

Of the top three, two of them rely heavily on users to fall for cleverly crafted scams and gambits. Those organizations that continually keep their users educated through security awareness training to remain vigilant when interacting with email and the web are then ones who can mitigate (if not outright stop) two of the three top attack types.

So, 427 hours of your security team's time, or put new-school security awareness training in place where they get a monthly simulated phishing test to keep them on their toes with security top of mind – the choice is yours.

Blog post with links:

The 9 Cognitive Biases Hackers Exploit the Most

Hackers have become increasingly savvy at launching specialized attacks that target your users by tapping into their fears, hopes, and biases to get access to their data.

Cybersecurity is not just a technological challenge, but increasingly a social and behavioral one. People, no matter their tech savviness, are often duped by social engineering scams, like CEO fraud, because of their familiarity and immediacy factors.

Bad actors know how to tap into specific mental patterns we all have called cognitive biases to trick users into compromising sensitive information or systems.

In this whitepaper, explore how a better understanding of how hackers are duping users can help you identify potential cognitive biases, deliver training that actually changes behaviors, and cut down on security incidents.

Read this whitepaper to learn:

  • How hackers get users to click by understanding how they tick
  • Examples of specific cognitive biases hackers use the most through social engineering
  • How new-school security awareness training and real-time security coaching can be used to nudge users toward more secure behavior

Download this whitepaper today!

NEW -- Environment Survey Overview

Tell us how we can help you even more.

The Environment Survey is an optional survey located on your KnowBe4 console Dashboard tab that will provide KnowBe4 with additional data about the security systems used in your environment. This data helps us plan future integrations with the products that you use the most.

We also use this information to update you about any changes that could impact your organization's security training.

You can find the Environment Survey at the bottom of the Dashboard tab after logging in to your KnowBe4 console. Click Get Started to begin the survey. You can exit the survey at any time without losing your progress by clicking the Save and Exit button.

The survey consists of 10 questions and only takes two minutes to complete. You can select multiple responses for each question if you use more than one service or software in your organization and you can delete the data at any time.

Here is the support article:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Forrester Analyst Jinan Budge nails it. "The Future Is Now: Introducing Human Risk Management":

PPS: [BUDGET AMMO] Mindfulness In Cybersecurity: Turning Frequent Clickers To Vigilant Defenders:

Quotes of the Week  
"The best way to resolve any problem in the human world is for all sides to sit down and talk."
- Dalai Lama (born 1935)

"Believe nothing just because a so-called wise person said it. Believe only what you yourself test and judge to be true."
- Buddha - Philosopher (563 - 483 BC)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Email Phishing Attacks Surged in 2023

Email-based phishing attacks surged by 222% in the second half of 2023 compared to H2 2022, according to a new report from Acronis. The researchers believe the increase was partly due to the rise of generative AI tools.

"Email attacks skyrocketed by 222% compared to the last half of 2022, and generative artificial intelligence (AI) is partially to blame," the report says. "A growing number of organizations faced AI-enhanced phishing attacks, with 91.1% of businesses reporting first-hand encounters.

With adversaries abusing generative AI to craft phishing emails, messages are more convincing and virtually indistinguishable from legitimate messages, making it more crucial now than ever for SMBs and MSPs to deploy AI-powered detection tools."

The researchers found that 33.4% of emails received in H2 2023 were spam, and 1.3% of these were malicious.

"One out of 76, or 1.3%, of received emails were malicious in H2 2023," Acronis says. "Phishing was the number one email threat, representing 78% of malicious emails. Business email compromise (BEC) / social engineering, however, increased from 3% to 15% compared to the same period last year, making it the second most common email threat.

"Malware, the third most common email threat, represented 6% of malicious emails, down from 18% in H2 2022." Acronis concludes that attackers will continue to improve their phishing attacks with the help of AI tools.

"While it's imperative to develop technologies that can identify and defend against these advanced threats, equal importance must be given to establishing a corporate culture of security awareness, one that is prepared to face adversaries armed with AI," the researchers write.

"As we advance into an era in which AI capabilities will only expand, remaining vigilant and adaptable in the face of these intelligent threats will be the cornerstone of corporate cybersecurity."

New-school security awareness training can give your organization an essential layer of defense against social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 orgs worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Acronis has the story:

Americans Lost $10 Billion to Fraud in 2023

The U.S. Federal Trade Commission (FTC) has disclosed that people in the United States lost a record $10 billion to fraud in 2023, a 14 percent increase from 2022. Nearly half of the losses were due to investment scams.

"Consumers reported losing more money to investment scams—more than $4.6 billion—than any other category in 2023. That amount represents a 21% increase over 2022," the FTC says. "The second highest reported loss amount came from imposter scams, with losses of nearly $2.7 billion reported.

In 2023, consumers reported losing more money to bank transfers and crypto currency than all other methods combined." The median loss from a scam in 2023 was $7,000, compared to $3,000 in 2019. The five most common fraud techniques involved imposters, online shopping, phony sweepstakes or prizes, investments, and fake job opportunities.

"The FTC received fraud reports from 2.6 million consumers last year, nearly the same amount as 2022. The most commonly reported scam category was imposter scams, which saw significant increases in reports of both business and government impersonators," the FTC says.

"Online shopping issues were the second most commonly reported in the fraud category, followed by prizes, sweepstakes, and lotteries; investment-related reports; and business and job opportunity scams."

Notably, email was the most common medium used by scammers to target victims in 2023. "Another first is the method scammers reportedly used to reach consumers most commonly in 2023: email," the FTC says. "Email displaced text messages, which held the top spot in 2022 after decades of phone calls being the most common.

"Phone calls are the second most commonly reported contact method for fraud in 2023, followed by text messages."

KnowBe4 empowers your workforce to make smarter security decisions every day.

The FTC has the story:

What KnowBe4 Customers Say

"Hi Stu, So far our experience has been good, with the only hiccups being of my own making. :) I have been working with Amy B. and she has been outstanding. We're working to through all of the aspects of setup and use, and she has been knowledgeable and accessible. One of the better implementation experiences I've had. So yes sir, I'm a happy camper!"

- R.S., Director, Information Technology

The 10 Interesting News Items This Week
  1. How Nation-State Actors Target Your Business: New Research Exposes Major SaaS Vulnerabilities:

  2. Ransomware attack forces 100+ Romanian hospitals to go offline:

  3. How Tech Giants Turned Ukraine Into an AI War Lab:

  4. Health insurance data breach affects nearly half of France's population:

  5. Hunter-killer malware is on the rise, and security experts are seriously concerned:

  6. Will AI Finally Solve Software Vulnerabilities?:

  7. Feds Want to Ban the World's Cutest Hacking Device. Experts Say It's a 'Scapegoat':

  8. U.S. conducted cyberattack on suspected Iranian spy ship:

  9. U.S. disrupts Russian hacking campaign that infiltrated home, small business routers: DOJ

  10. U.S. offers up to $15 million for tips on ALPHV ransomware gang:

  11. BONUS | Microsoft and OpenAI describe state-sponsored threat actors' use of AI:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews