CyberheistNews Vol 14 #13 If Social Engineering Accounts for Up to 90% of Attacks, Why Is It Ignored?



Cyberheist News

CyberheistNews Vol 14 #13  |   March 26th, 2024

If Social Engineering Accounts for Up to 90% of Attacks, Why Is It Ignored?Stu Sjouwerman SACP

By Roger Grimes

Social engineering and phishing are involved in 70% to 90% of all successful cybersecurity attacks. No other initial root hacking cause comes close.

This is not a recent development. Social engineering has been the number one type of attack since the beginning of networked computers. Despite this long-time fact, most organizations do not spend 3% of their IT/IT security budget to fight it.

It is this fundamental misalignment of resources against the ways people and devices are hacked that allows hackers and their malware programs to continue to be so successful for decades. This is the number one problem, and why we keep getting hacked.

When I tell people of this long-time conundrum, they ask why it is so. Many reasons ultimately, including that there are a lot of different ways that you could be broken into. All of which you're expected to prevent, all at once.

Cybersecurity compliance regulations often have hundreds of controls you are expected to deploy and oversee. But every control that focuses on something far less likely to happen while ignoring what is very likely to happen is an inefficient, likely failed defense.

We are being told that we need to focus on everything…or the wrong thing, and not being told what the biggest part of the problem is, by far, and that we need to focus, first and best, on it.

And the problem is not just occurring at the individual cyber defender level, or even at the individual organization level. It is a global systemic problem. Even the national and global organizations specifically created to protect you against cyber threats are letting you down and telling everyone to focus on the wrong problems.

[CONTINUED] at the KnowBe4 blog with links and screenshots:
https://blog.knowbe4.com/social-engineering-accounts-for-90-of-attacks-why-is-it-ignored

[New Features] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, April 3, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
  • NEW! 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
  • Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test

Find out how 65,000+ organizations have mobilized their end users as their human firewall.

Date/Time: Wednesday, April 3, @ 2:00 PM (ET)

Save My Spot!
https://info.knowbe4.com/kmsat-demo-1?partnerref=CHN

Phishing Tops 2023's Most Common Cyber Attack Initial Access Method

New analysis shows that the combination of phishing, email, remote access and compromised accounts are the focus for most threat actors.

Data across the industry corroborates new findings in cyber risk advisory and response firm Kroll's just-released Q4 2023 Cyber Threat Landscape Report. But what's interesting in this report is how the data tells a story of where organizations are falling short in their preventative efforts.

First, let's jump into the findings of where each of the common initial access methods rank. While phishing decreased a bit between 2022 and 2023, it still dominates as the most-used method.

Interesting to note is the massive jump in the use of valid accounts whereby initial access brokers compromise accounts and sell them to threat actors who leverage the accounts as a means of gaining access to an organization. Since we all know how most of those valid accounts were obtained, I'm going to point out that phishing is an even bigger problem.

If we "zoom out" a bit and look at the most common incident threat types, we see ransomware taking a back seat last year to email compromise — again, likely using credential harvesting to obtain credentials.

Phishing is the Problem

The underlying story here is clear — phishing is the problem. Whether we're talking about phishing with the intent of compromising credentials to be used later, or phishing used to infect systems and gain access, cybercriminals are leveraging phishing more now than ever.

Your layered defense against these attacks must include a vigilant user; one who has undergone continual security awareness training, who knows what to look for and how to spot a suspicious email.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/phishing-tops-2023-most-common-cyber-attack

Re-Check Your Email Attack Surface Now. (We are always adding new breaches)

Your users are your largest attack surface. Data breaches are getting larger and more frequent. Cybercriminals are getting smarter every year. Add it all up and your organization's risk skyrockets with the amount of your users' credentials that are exposed.

It's time to re-check your email attack surface.

Find out your current email attack surface now with KnowBe4's Email Exposure Check Pro. EEC Pro identifies your at-risk users by crawling business social media information and now also thousands of breach databases.

EEC Pro leverages one of the largest and most up-to-date breach data sources to help you find even more of your users' compromised accounts that have been exposed in the most recent data breaches — fast.

Do this complimentary test now!

Get your EEC Pro Report in less than 5 minutes. It's often an eye-opening discovery. You are probably not going to like the results...

Get Your Report:
https://info.knowbe4.com/email-exposure-check-pro-chn-2

[Heads-Up] Phishing Campaign Delivers VCURMS RAT

Researchers at Fortinet are tracking a phishing campaign that's distributing a new version of the VCURMS remote access Trojan (RAT).

"Recently, FortiGuard Labs uncovered a phishing campaign that entices users to download a malicious Java downloader with the intention of spreading new VCURMS and STRRAT remote access trojans (RAT)," the researchers write.

"The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware. The attacker attempts to use email as its command and control throughout the attack campaign. The receiving endpoint utilizes Proton Mail, which offers email services that include privacy protection."

The malware is delivered via phishing emails that appear to contain payment related information. "It targets staff members, implying that a payment is underway and encourages them to click a button to verify payment information," Fortinet says.

"Upon clicking the button, a harmful JAR file hosted on AWS is downloaded to the victim's computer....The downloaded files resemble typical phishing attachments with spoofed names intended to lure people into opening them.

"The malicious attachments will install a new strain of the VCURMS RAT that can exfiltrate account information, including cookies, autofill data, browsing history, and passwords from browsers.

"This comprehensive attack operation deploys several malicious programs simultaneously on a victim's system," the researchers write. "It deploys a well-known STRRAT and a new VCURMS based on Java.

"Even though the VCURMS RAT primarily handles command and control communication, it also includes a modified version of a Rude Stealer and a keylogger in its second phase to gather sensitive data from the victim's system.

"We discovered that the threat actor was using multiple obfuscation techniques to avoid detection and attempting to use email for communicating with the command and control server."

Blog post with links:
https://blog.knowbe4.com/phishing-campaign-delivers-vcurms-rat

[Whitepaper]: Overcoming The Phishing Tsunami: A Game-Changing Strategy For Stopping Phishing

Phishing attacks often feel like an unrelenting tsunami, flooding your organization with a never-ending deluge of threats.

Traditional methods for analyzing and mitigating phishing attacks are manual, repetitive and error-prone. These workflows slow the speed at which you can mitigate a spear-phishing attack and increase the risk that phishing presents to your organization.

There is a better way. One that shifts the burden off your IT team to a unique, AI-powered system built from the ground up to automate the identification and prioritization of phishing threats and uses crowdsourced threat intelligence to improve accuracy and speed time to mitigation.

Read this whitepaper to learn:

  • The five major challenges you'll face when manually reporting, analyzing and mitigating phishing attacks
  • How the right SOAR product can provide finely-tuned, automated identification and mitigation of phishing emails
  • Why the right SOAR product is crucial to your organization's incident response plan and supercharging your existing email security filters

Download Now:
https://info.knowbe4.com/wp-overcoming-the-phishing-tsunami-chn

High-Risk Clickbait Alert: 'Kate Middleton Diagnosed with Cancer'

I'd like to warn everyone that bad actors are jumping on this very high-risk click bait topic. The UK royal family is by its nature a high-interest topic,  but this one maxes out the risk scale.

We made two phishing templates based on recent newspaper articles. They live in the Current Events category in your KnowBe4 console. Template names are as follows:

  • The Epoch Times: BREAKING - Kate Middleton Diagnosed With Cancer (Link)
  • BBC: Live updates - Princess of Wales says she has Cancer (Link)

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [WHOA NELLIE] Mind blowing Expressive Portrait Videos with Audio2Video Diffusion Model:
https://humanaigc.github.io/emote-portrait-alive/

PPS: CISA Recommends Continuous Cybersecurity Training:
https://blog.knowbe4.com/cisa-recommends-continuous-cybersecurity-training

Quotes of the Week  
"An investment in knowledge pays the best interest."
- Benjamin Franklin (1706 - 1790)

"I fear not the man who has practiced 10,000 kicks once, but I fear the man who has practiced one kick 10,000 times."
- Bruce Lee (1940 - 1973)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-14-13-if-social-engineering-accounts-for-up-to-90-percent-of-attacks-why-is-it-ignored

Security News

Social Engineering the #1 Root Cause Behind Most Cyber Crimes in FBI Report

Most cyber defenders know that social engineering and phishing are top reasons why people and networks are successfully attacked, but do not understand exactly how big of a problem they are, especially when compared to other types of initial root hacking causes.

There are many reasons why this is the case, but part of the problem is how companies, surveys and the authorities incorrectly cover initial root hacking causes. The most common mistake they make is conflating initial root hacking causes with outcomes of root hacking causes.

Let me use the FBI's most recent IC3 report as an example. It is one of the most well-respected reports, with great data and shows trends over many years. This blog post has a screenshot (from page 20 of their report) showing types of cybercrime.

And KnowBe4 readers will absolutely notice that Phishing/Spoofing is the top crime by far. Just using the FBI's numbers and categories, it is 43% of all crimes listed. The next closest category, Personal Data Breach, is just 8% of crime.

[CONTINUED] Blog post with links and screenshots:
https://blog.knowbe4.com/did-you-notice-how-much-fbi-other-crime-is-really-social-engineering

Tax Season Phishing Campaigns Have Started Again

Researchers at Microsoft Threat Intelligence warn that attackers are sending tax-themed phishing emails to trick users into installing malware.

"At the end of January 2024, Microsoft Threat Intelligence observed a campaign using lures masquerading as tax-related documents provided by employers," the researchers write. "The phishing email contained an HTML attachment that directed the user to a fake landing page.

"This page hosted malicious executables and once the target clicked on the 'Download Documents' prompt, malware installed on their computer. The malicious executable file dropped on the target's machine had information stealer capabilities. Once in the environment, it attempted to collect information including login credentials."

Microsoft notes that the attackers "typically impersonate employers and human resources personnel, the Internal Revenue Service (IRS), or taxation-related entities such as state tax organizations or tax preparation services."

The researchers add, "Although everyone is susceptible to tax-season phishing, we have noted that certain groups of people are more vulnerable than others. Prime targets include individuals who may be less informed about government tax procedures and methods—green card holders, small business owners, new taxpayers under the age of 25, and older taxpayers over 60."

Microsoft concludes that awareness and multifactor authentication are two essential defenses against phishing attacks. "The best defense against cybercriminals, both at tax season and throughout the year, is education and good cyber hygiene," the researchers write.

"Education means phishing awareness—knowing what phishing attempts look like and what to do when they're encountered. Good cyber hygiene means implementing basic security measures like multifactor authentication for financial and email accounts. With multifactor authentication enabled, you can prevent 99.9% of attacks on your accounts."

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

We could not agree more. Microsoft has the story:
https://www.microsoft.com/en-us/security/blog/2024/03/20/microsoft-threat-intelligence-unveils-targets-and-innovative-tactics-amidst-tax-season/

What KnowBe4 Customers Say

"We've been using KnowBe4 for slightly less than a year (very impressed with your program) and I've learned today that Sophie M. whom I had a pleasure to work with is taking on a new role, so I've asked where I could leave a review and she gave me your email address.

I am writing to express my utmost satisfaction and gratitude for the exceptional support and expertise provided by Sophie McLaughlin collaborating with us.

While the platform is undeniably impressive, Sophie's involvement has truly elevated our experience to unprecedented levels. Her guidance and assistance have been instrumental in maximizing the effectiveness of our training initiatives.

With her insightful recommendations and support we have been able to structure our courses more strategically and develop tailored programs that directly address the skillsets required in the team.

Furthermore, Sophie's expertise in analyzing our SAPA results has proven invaluable in refining our training approach. She has played a key role in helping us interpret the data and implement targeted strategies to improve our overall security posture.

Her professionalism, expertise, and unwavering commitment to excellence have been exemplary, and I am grateful for the opportunity to have worked with her."

- C.O., Global Manager, Operations

The 10 Interesting News Items This Week
  1. U.S. is still chasing down pieces of Chinese hacking operation, NSA official says:
    https://therecord.media/china-hacking-volt-typhoon-response-nsa-rob-joyce

  2. As Boards Focus More on Cybersecurity, Are They Missing One of the Biggest Threats? (Themselves):
    https://www.wsj.com/tech/cybersecurity/cyber-security-internal-threats-4d4c70dd?

  3. Russian APT28 Hacker Group Targeting Europe, Americas, Asia in Sophisticated Phishing Scheme:
    https://thehackernews.com/2024/03/apt28-hacker-group-targeting-europe.html

  4. Chinese Earth Krahang hackers breach 70 orgs in 23 countries:
    https://www.bleepingcomputer.com/news/security/chinese-earth-krahang-hackers-breach-70-orgs-in-23-countries/

  5. Ukraine arrests hackers trying to sell 100 million stolen accounts:
    https://www.bleepingcomputer.com/news/security/ukraine-arrests-hackers-trying-to-sell-100-million-stolen-accounts/

  6. Hacked Spa Gran Prix email account leads to phishing attacks against Formula 1 fans:
    https://www.bleepingcomputer.com/news/security/spa-grand-prix-email-account-hacked-to-phish-banking-info-from-fans/

  7. [Supply Chain Attacks] WSJ: "Cyber Chiefs Are Wary of Vendor Security":
    https://blog.knowbe4.com/heads-up-reinforce-your-defenses-against-rising-supply-chain-cyber-threats

  8. CISA shares critical infrastructure defense tips against Chinese hackers:
    https://www.bleepingcomputer.com/news/security/cisa-shares-critical-infrastructure-defense-tips-against-chinese-hackers/

  9. EPA looking to create water sector cyber task force to reduce risks from Iran, China:
    https://therecord.media/epa-water-sector-cyber-task-force-china-iran

  10. Why AI Obituary Scams Are a Cyber-Risk for Businesses:
    https://www.darkreading.com/threat-intelligence/why-ai-obituary-scams-cyber-risk-businesses

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews