CyberheistNews Vol 14 #18 [Wake Up Call] A Fresh Nespresso Domain Hijack Brews an MFA Phishing Scheme

Cyberheist News

CyberheistNews Vol 14 #18  |   April 30th, 2024

[Wake Up Call] A Fresh Nespresso Domain Hijack Brews an MFA Phishing SchemeStu Sjouwerman SACP

Attackers are launching phishing campaigns using an open-redirect vulnerability affecting a website belonging to coffee machine company Nespresso, according to researchers at Perception Point.

Open-redirect vulnerabilities enable attackers to send users to phishing sites via seemingly benign links. In this case, the attackers are sending emails that appear to be multi-factor authentication requests from Microsoft.

"This attack starts with an email," the researchers explain. "Albeit in this instance a very strange email that at first glance appears to be a multi-factor authentication request from Microsoft. The email sender is unaffiliated with Microsoft.

"At the bottom of the message it seems that the email has been forwarded twice. This creates a rather muddled message that the attacker likely fabricated entirely. Perhaps the intent of the 'forwarding' was to provide an explanation as to why the email doesn't originate from Microsoft. Regardless of the convoluted details, the overall message is clear."

If the user clicks the link, they'll be sent to a phony Microsoft login page designed to steal their credentials.

"The email urges the recipient to check their recent login activity," the researchers write. "Upon clicking the link, the user is first directed to the infected Nespresso URL, followed by a redirection to an .html file. The goal of using the Nespresso open redirect vulnerability is to evade security measures.

"Attackers know that some security vendors only inspect the initial link, not digging further to discover any hidden or embedded links. With this knowledge, it makes sense that the attacker would host the redirect on Nespresso, as the legitimate domain would likely be sufficient to bypass many security vendors, detecting only the reputable URL and not the subsequent malicious ones."

Blog post with links:

[New Features] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, May 8, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
  • NEW! 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
  • Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test

Find out how 65,000+ organizations have mobilized their end users as their human firewall.

Date/Time: Wednesday, May 8, @ 2:00 PM (ET)

Save My Spot!

Half of U.K. Businesses Experienced a Security Breach or Cyber Attack in the Last 12 Months

Analysis of cyber attacks targeting U.K. organizations highlights the effectiveness of social engineering attacks and the fact that businesses are missing the mark on how to stop it.

The U.K. Government just released their Cyber Security Breaches Survey 2024 where they asked U.K. businesses and charities about their experiences with cyber attacks and breaches, their preparedness plans, response plans and the impacts of the attacks.

According to the survey results, half (50%) of all U.K. businesses and one-third (32%) of charities experienced cyber attacks or security breaches in the last year. And when you break down the proliferation of attacks, it's 70% of mid-sized businesses and 74% of enterprise businesses.

In general, cybersecurity is pretty high on the priority list; 75% of businesses say it's a high priority for them. And yet, only 22% of businesses have formal incident response plans in place. Only 33% say they use security tools designed for monitoring, 17% have done penetration testing and 10% have invested in threat intelligence.

What's interesting is the top two attack/breach types in the report:

  • 84% of businesses experienced phishing attacks
  • 35% of businesses experienced impersonation of their own staff or organization online or in emails

And it's these same two that are also considered the "most disruptive." You'd think businesses would be focused on security measures specifically designed to stop the attacks they experience the most and see the greatest impact from.

And yet, only 18% have run some form of staff training (presumably security awareness training of some kind) as well as phishing testing against users. Both of the top attack/breach types have to do with users being fooled into engaging with a threat actor, or their malicious links and attachments.

If U.K. businesses want to see improvement, they're going to need to take a look at where they're weakest and shore up their security in those areas — in this case, their users.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

[Free Resource Kit] Password Security Resources

May 2, 2024, is World Password Day!

Password threats leave you open to phishing and social engineering attacks, so we created this free resource kit to help you defend against vulnerabilities. Request your kit now for your free resources from Roger A. Grimes, Data-Driven Defense Evangelist.

Learn about the real risks of weak passwords, why password management is key to building a strong security culture and our best advice on how to protect your users and your organization.

Here is what you'll get:

  • Three Password Hacking Demo Videos
  • Access to our free on-demand webinar The Good, the Bad and the Truth About Password Managers featuring Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist
  • Our most popular password whitepaper: What Your Password Policy Should Be
  • A Password Best Practices Guide to share with your users
  • Posters and digital signage to remind users the importance of good password hygiene

Get Your Free Password Security Resources Now!

AI-Assisted Phishing Attacks Are on the Rise

Threat actors are increasingly using generative AI tools to improve their phishing campaigns, according to a new report from Zscaler.

"AI represents a paradigm shift in the realm of cybercrime, particularly for phishing scams," the researchers write. "With the aid of generative AI, cybercriminals can rapidly construct highly convincing phishing campaigns that surpass previous benchmarks of complexity and effectiveness.

"By leveraging AI algorithms, threat actors can swiftly analyze vast datasets to tailor their attacks and easily replicate legitimate communications and websites with alarming precision. This level of sophistication allows phishers to deceive even the most aware users. The potential of AI in reshaping the cyberthreat landscape appears boundless as it continues to redefine what is possible in the world of cyberattacks."

The report also found that the finance and insurance industry saw a 393% year-over-year increase in phishing attacks in 2023. Nearly 28% of all phishing attacks last year targeted this sector.

"This industry is an attractive target for threat actors aiming to engage in identity theft or financial fraud," the researchers write. "The increasing reliance on digital financial platforms provides ample opportunities for threat actors to carry out phishing campaigns and exploit vulnerabilities in this sector."

Additionally, Zscaler observed an increase in phishing kits designed to bypass multi-factor authentication.

"Over the past year, a concerning trend has emerged where adversaries successfully circumvent enterprise multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) proxy-based phishing attacks," the report says.

"In the coming year, we expect phishing kits to increasingly include sophisticated AiTM techniques, localized phishing content, and target fingerprinting — of course enabled by AI. These advancements will allow attackers to conduct high-volume phishing campaigns aimed at evading MFA protections at enterprise scale."

Blog post with links:

7 Steps for Building a Security Culture

The phrase "security culture" has become a popular term within the corner offices of IT leaders and C-level executives, but there is a problem. The definition of "security culture" isn't always clear, and the steps for building a stronger security culture are even more murky.

Many leaders only have a vague understanding of what security culture is and how to start to favorably change it within their organization.

Download this guide to understand:

  • The seven steps for successfully building a security culture within your organization
  • The various "dimensions," or variables, that you'll need to change to build a strong culture
  • The critical concept of ABC: Awareness, Behavior and Culture

Download Now:

[NEW GAME] Level Up Your Users' Cybersecurity Skills with 'The Inside Man: New Recruits'

We're thrilled to announce our newest addition to our ModStore's already brimming collection of games with a new offering based on our award-winning "The Inside Man" training series!

"The Inside Man: New Recruits" makes your users part of the series as they help protect the Khromacom corporation from possible hackers. They'll be recruited by series lead Mark Shepherd and interact with many other characters as they complete challenges related to password security, document handling, physical security, social media sharing, phishing and more.

The game can serve as a great reminder as part of your training campaigns and is recommended for learners that have completed the first season of the series, or need a refresher after completing the fifth season.

"Mark Shepherd, The Inside Man himself, is recruiting a crack security team to thwart the sinister 'Handler.' Your mission is to accumulate points in a series of challenges that apply lessons learnt throughout The Inside Man series, to test your expertise in combating phishing, social engineering, password breaches, ransomware and document security."

This new game is 10 minutes in duration, available in English (GB), and at the Diamond subscription level.

Blog post with details:

REMEMBER: This week is World Password Day on May 2nd! Get your free password security resource kit:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Compliance Plus Fresh Content Updates from April 2024:

PPS: [Great Resource] The 'Strategy of Security' site combines cybersecurity's most valuable stories, ideas, and data to find insights that help you win:

Quotes of the Week  
"One way to get the most out of life is to look upon it as an adventure."
- William Feather - Author (1889 - 1981)

"True happiness comes from the joy of deeds well done, the zest of creating things new."
- Antoine de Saint-Exupéry - Writer (1900 - 1944)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Global Optics Provider Hit with Ransomware Attack and a $10M Ransom

Global optics manufacturer Hoya had business operations at its headquarters and several business divisions impacted and is now facing a "No Negotiation / No Discount Policy" $10 million ransom decision to make.

On March 29, Hoya, which employs over 37,000 people in 160 offices and 30 countries, was the target of a ransomware attack by an affiliate of the ransomware-as-a-service group "Hunters International."

The company minimally acknowledged the attack on their website, and later provided additional detail in a separate statement. Bleeping Computer obtained dark web proof of the ransom by Hunters International, alleging 1.7 million files being stolen, totaling 2TB of data:

While the impact on ordering systems in production may be an indication that either a vulnerability exploit or a supply chain attack occurred to provide initial access, because 60% of the code used by Hunters International is identical to Hive, many believe this group to simply be a renamed version of Hive — which uses compromised credentials to gain access to VPNs and remote access solutions.

The gathering of credentials, of course, usually is sourced from phishing campaigns intent on credential harvesting to be sold on the dark web — an attack easily avoided by organizations who enroll their users in new-school security awareness training.

Blog post with links and $10M ransom screenshot:

U.S. Justice Department Accuses Iranian Nationals of Launching Spear Phishing Attacks

The U.S. Department of Justice has indicted four Iranian nationals for allegedly launching spear phishing attacks against the U.S. government and defense contractors. In one instance, the hackers compromised over 200,000 employee accounts at a victim organization.

"In conducting their hacking campaigns, the group used spear phishing — tricking an email recipient into clicking on a malicious link — to infect victim computers with malware," the Justice Department said. "During their campaigns against one victim, the group compromised more than 200,000 employee accounts.

"In another campaign, the conspirators targeted 2,000 employee accounts. In order to manage their spear phishing operations, the group created and used a particular computer application that enabled the conspirators to organize and deploy their spear phishing attacks."

The DOJ says the individuals used their access to one victim organization to launch convincing spear phishing attacks against other defense contractors.

"In the course of these spear phishing attacks, the conspirators compromised an administrator email account belonging to a defense contractor (Defense Contractor-1)," the DOJ said. "Access to this administrator account empowered the conspirators to create unauthorized Defense Contractor-1 accounts, which the conspirators then used to send spear phishing campaigns to employees of a different defense contractor and a consulting firm."

The individuals also allegedly used catfishing tactics to trick their targets into installing malware.

"In addition to spear phishing, the conspirators utilized social engineering, which involved impersonating others, generally women, to obtain the confidence of victims," the Justice Department said. "These social engineering contacts were another means the conspiracy used to deploy malware onto victim computers and compromise those devices and accounts."

New-school security awareness training can give your organization an essential layer of defense against social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day.

The U.S. Justice Department has the story:

What KnowBe4 Customers Say

"Hi Stu, Thank you for your personal message and the interest in our experience with KnowBe4's training and phishing service. We are certainly satisfied with the program and the results we have observed at Geelen Beton. It's refreshing to see that you are proactively reaching out to me.

We are also happy with the continuous updates and the evolving content you provide, which helps keep awareness sharp and current."

- M.B., Financieel Directeur

"Dear Stu (still cannot believe it is really you … but well, feels good to talk to "the man at the top"!). Many thanks for asking. We are very happy to have chosen KnowBe4 for security awareness trainings. We are not power users, unfortunately. But we will use the product continuously.

Fun fact: today I wrote an email to the IT guys here, requesting that KnowBe4 should be the mandatory tool for all entities. Currently only two entities are using KnowBe4."

- B.M., Head of IT

The 10 Interesting News Items This Week
  1. [BUDGET AMMO] Yours truly in DarkReading: "Where Hackers Find Your Weak Spots. The five intelligence sources that power social engineering scams":

  2. Fake job interviews target developers with new Python backdoor — social engineering:

  3. Findings from the DEFCON31 AI Village Inaugural Generative AI Red Team Challenge:

  4. U.S. government sanctions Iranians linked to government cyber attacks:

  5. Sweden's liquor shelves to run empty this week due to ransomware attack:

  6. Suspected North Korean hackers hijack antivirus updates to install malware:

  7. Deepfakes in the courtroom: U.S. judicial panel debates new AI evidence rules:

  8. 93% of security leaders anticipate daily AI attacks by 2025:

  9. France seeks new EU sanctions to target Russian disinformation:

  10. Microsoft's Phi-3 shows the surprising power of small, locally run AI language models:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews