CyberheistNews Vol 14 #26 | June 25th, 2024
[Heads Up] Tricky Fake Invoice Phishing Attack Uses Search to Deliver Malware
Researchers at Trustwave warn that a phishing campaign is distributing malware via HTML attachments disguised as invoices. Notably, the HTML files abuse the Windows Search protocol to launch Windows Explorer and trick users into installing the malware.
"Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware," the researchers state.
"We found the threat actors utilizing a sophisticated understanding of system vulnerabilities and user behaviors....The campaign starts with a suspicious email containing an HTML attachment disguised as a routine document, like an invoice. The threat actor encloses the HTML file within a ZIP archive to enhance deception and evade email security scanners."
When the user opens the HTML file, they'll be prompted to allow the search function. The function will attempt to trick the user into running a malicious script.
"The attack moves to its next phase after the user permits the search action," Trustwave explains. "The search function retrieves invoice-named files from a remote server. Only one item, particularly a shortcut (LNK) file, appears in the search results. This LNK file points to a batch script (BAT) hosted on the same server, which, upon user click, could potentially trigger additional malicious operations."
Trustwave concludes that user awareness is necessary to thwart evolving social engineering tactics.
"The HTML document serves as a crucial component in this attack, facilitating the execution of a script that exploits the Windows search functionality," the researchers write. "While this attack does not utilize automated installation of malware, it does require users to engage with various prompts and clicks.
However, this technique cleverly obscures the attacker's true intent, exploiting the trust users place in familiar interfaces and common actions like opening email attachments. As users continue to navigate an increasingly complex threat landscape, ongoing education, and proactive security strategies remain paramount in safeguarding against such deceptive tactics."
We could not agree more. Blog post with links:
https://blog.knowbe4.com/phishing-campaign-abuses-windows-search-to-distribute-malware
[New Features] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training is simply not effective. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, July 10, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at three new features and see how easy it is to train and phish your users.
- NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
- NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
- NEW! 2024 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
- Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
- Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test
Find out how 65,000+ organizations have mobilized their end users as their human firewall.
Date/Time: Wednesday, July 10, @ 2:00 PM (ET)
Save My Spot!
https://info.knowbe4.com/en-us/kmsat-demo-1?partnerref=CHN
The Overlooked Truth: User Experience in Cybersecurity
By Javvad Malik
We live in a world where the term "cybersecurity" tends to make folks either shiver with anxiety or yawn with boredom.
The narrative has always been about hacking, phishing and all sorts of digital skullduggery. However, the overlooked truth is that users don't adopt best security practices because they're designed without the slightest nod to the user experience.
It's a bit like asking someone to squeeze through a medieval castle's portcullis just to check their email; the intention is good, but the execution, well, not so much.
The UX Problem in Security Design
User experience (UX) is the secret sauce that makes any interaction with technology not just bearable, but enjoyable. A lot of Apple's initial success was down to Steve Job's obsession with aesthetics and simplicity. The way the software was designed, the physical hardware, even unboxing the product feels like a special experience.
Imagine visiting a theme park with rides designed by engineers who think safety means taking you through a safety briefing, putting on fire proof clothing, spending 30 minutes strapping you in, and another 15 minutes checking you individually. Only to go on a rollercoaster which stays perfectly horizontal and never exceeds 3mph (about 5 km/h for my European friends).
Sure, you'll be safe, but would you ever go there again? That's what bad UX in cybersecurity feels like — a grim endurance test where users are belted and buckled into layers of protocols, each more confounding than the last.
Think about it — every time you try to log into a system and encounter a security barrier that feels like jumping through flaming hoops, a little part of your soul dies. And that's not because the controls are inherently painful, but because we're not considering what it's like to be on the other side of those hoops.
[CONTINUED WITH] The Case of Multi-Factor Authentication:
https://blog.knowbe4.com/the-overlooked-truth-user-experience-in-cybersecurity
Now Available: Outlook's New Ribbon Phish Alert Button
Bad actors are flooding your users' inboxes with malicious emails, hoping just one of them falls for the attack. Your users reporting suspected phishing emails is a last line of defense against cyber threats, but the process of reporting has not always been straightforward.
KnowBe4's Microsoft Ribbon Phish Alert Button (PAB) streamlines the reporting process with just a single click. This new PAB transforms Microsoft's native spam reporting button in Outlook into KnowBe4's industry-leading PAB to deliver a uniform experience across most Outlook versions.
Key benefits include:
- Consistent User Experience
- Efficient Reporting
- Enhanced Security
- Collaboration and Innovation
- Seamless Integration
This add-in PAB is the first step in further enhancing your management of social engineering threats and building a strong security culture with KnowBe4.
Learn more by watching this announcement video from Microsoft Build Conference (starting at 3:40):
https://www.youtube.com/watch?v=5NKLh9D1Z3Q
Vacation-Themed Scams Are Spiking
Scammers are now impersonating legitimate services like Booking[.]com and Kayak to target people planning their summer vacations. One out of every 33 vacation themed domains registered last month was malicious, researchers at Check Point warn.
"In May 2024, Check Point Research (CPR) detected a significant surge in summer related cyber scams, highlighting the need for travelers to stay informed and proactive in safeguarding their personal information," the researchers write.
"Specifically, a notable surge in newly created domains related to holidays or vacations was observed, with a significant increase compared to the same period last year. Out of the 25,668 new domains registered, one out of every 33 was found to be either malicious or suspicious."
Educate your users. Check Point offers the following advice:
- "Verify website authenticity by checking for HTTPS in the URL and look for trust indicators such as padlock symbols or site seals. Avoid entering personal information on websites with suspicious URLs or those with misspellings
- Exercise caution with emails, even those seemingly from reputable sources. Be wary of unexpected attachments or requests for personal information. When in doubt, contact the company directly using contact information from their official website instead of clicking on links in the email
- Stay informed about the latest cyber security threats and scams by following reputable cyber security blogs, subscribing to security newsletters, and participating in online forums or communities where cyber security professionals share insights and advice
- Use comprehensive security software such as antivirus and anti-malware programs to regularly scan your devices for threats. Keep these programs updated with the latest definitions to ensure they can detect and prevent new forms of malware"
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Blog post with links:
https://blog.knowbe4.com/vacation-themed-scams-are-spiking
Take the KnowBe4 2024 "Human Risk Report" Survey!
Most security measures are designed to detect and stop threatening actions. But users within the organization create a cybersecurity risk through their actions and inactions. This human risk creates repercussions that include successful ransomware attacks, exfiltration of data, loss of funds and more.
In this fast, 8-minute "2024 Human Risk Report" online survey, we want to hear about what issues are of great concern to you and your organization — and how you're working to address them.
Take the Survey Now:
https://www.surveymonkey.com/r/R8P3DT6
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: [BUDGET AMMO #1] What Happens When An Organization Suffers From A Poor Security Culture?:
https://www.forbes.com/sites/forbesbusinesscouncil/2024/06/20/what-happens-when-an-organization-suffers-a-poor-security-culture/
PPS: [BUDGET AMMO #2] Five Steps To Decoding AI-Powered Impersonation Attacks via @forbes:
https://www.forbes.com/sites/forbestechcouncil/2024/06/21/five-steps-to-decoding-ai-powered-impersonation-attacks/
- Pythagoras - Mathematician (582 - 497 BC)
- Marcus Garvey - Jamaican political leader (1887 - 1940)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-14-26-heads-up-tricky-fake-invoice-phishing-attack-uses-search-to-deliver-malware
Beware of Olympics-Themed Phishing Scams
Olympics-themed phishing emails have surged over the past several weeks, according to researchers at Bitdefender's Antispam Lab. These phishing campaigns began ramping up last month, primarily targeting users in France, Ireland, Germany, the U.S., the UK and Italy. The researchers expect these scams to increase over the summer ahead of the Paris Olympics next month.
"Significant events like the Olympics have become a prime target for scammers and cybercriminals who are set to exploit the excitement and attention of the media, online and offline attendees, and even the partner and organizational committees," the researchers state.
Notably, Bitdefender has observed several Olympic Games-themed lottery scams that attempt to trick people into sending personal and financial information. "Cybercrooks use the names of national lotteries, financial institutions, and big tech giants to lure unsuspecting internet users," the researchers write.
"Common impersonated brands include Coca-Cola, Microsoft, Google, the Turkish National Lottery, and the World Bank. The top destinations for this kind of lottery scams include the US, Japan, Germany, France, Australia, the UK and Slovakia.
"Alleged winnings range from $550,000 USD to $850,000 USD, depending on the campaign, and the body of messages is similar to your run-of-the-mill email lottery scam messages, with fraudsters simply adapting the text to suit the event."
Bitdefender offers the following advice to help users avoid falling for these phishing attacks:
- "Verify the source: Only open emails and messages from known senders. If you receive a suspicious message claiming to be from an official Olympic source, verify its legitimacy by checking the official website or contacting the organization directly.
- Look for red flags: Be wary of emails that contain spelling errors, generic greetings, or urgent requests for personal information.
- Do not click on suspicious links: Hover over links to see the actual URL before clicking. If the link looks suspicious or unfamiliar, do not click on it.
- Use a security solution: A trustworthy security solution can protect you from malicious software, phishing attempts, and fraud."
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Bitdefender has the story:
https://www.bitdefender.com/blog/hotforsecurity/bitdefender-antispam-lab-warns-of-olympics-themed-phishing-scams/
BEC Attacks Accounted for More Than One in Ten Social Engineering Attacks in 2023
A new report from Barracuda has found that email conversation hijacking attacks have risen by 70% since 2022. Additionally, business email compromise (BEC) attacks accounted for 10.6% of social engineering attacks in 2023, compared to 8% in 2022 and 9% in 2021.
These attacks require more effort on the part of attackers, but they typically have a much higher payout than other forms of social engineering. "Compared to all social engineering emails analyzed in this report, attacks that leveraged Gmail were significantly more skewed toward BEC," the report says. "Just over 50% of Gmail attacks were used for BEC attacks, compared to 10.6% of all malicious emails.
From gift card scams to various financial transactions, these attacks often exploit urgency or authority in order to trick victims into acting quickly, precluding the type of end-user scrutiny needed to recognize that something is amiss."
The report also found that one in twenty inboxes received QR code phishing attacks in 2023. These attacks are more likely to bypass email security filters.
"QR code attacks are difficult to detect using traditional email filtering methods," Barracuda says. "There is no embedded link or malicious attachment to scan. Email filtering is not designed to follow a QR code to its destination and scan for malicious content.
"QR codes sent via email also take victims away from corporate machines and force them to use a personal device, such as a phone or iPad, which isn't protected by corporate security software."
The researchers emphasize that employee awareness is an important layer of defense against phishing and other social engineering attacks. "Educate users about the latest email threats by making it a part of security awareness training," Barracuda says.
"Ensure employees can recognize these attacks, understand their fraudulent nature, and know how to report them. Use phishing simulation for emails and voicemail to train users to identify cyberattacks, test the effectiveness of your training, and evaluate the users most vulnerable to attacks."
Story at PRNewsWire:
https://www.prnewswire.com/news-releases/conversation-hijacking-up-70-and-1-in-10-email-based-attacks-are-now-business-email-compromise-302174802.html
What KnowBe4 Customers Say
"Hello Stu, thanks for reaching out on a Friday. Things are great and everyone is pleased with KnowBe4 for PAB and security awareness. We're also an Egress Defend shop and rely heavily on that service.
We're looking forward to seeing how KB4 integrates the products, and trust that you will do a masterful job. Please don't break anything. Back to happy camping!"
- L.T., Chief Technology Officer
"Hi Stu, I received positive feedback from my colleagues after they completed Kevin Mitnick's 45-minute video and seeing everyone's scoring will help me to tailor training in the future. Also, your team has faithfully touched base with me since we signed on with your service and their support has been wonderful. Thank you for checking in and for providing a great service for us to use."
- G.C, Technology Officer
- What to do about the rise of unknown attack vectors in the ransomware playbook:
https://www.scmagazine.com/perspective/what-to-do-about-the-rise-of-unknown-attack-vectors-in-the-ransomware-playbook - Crypto Industry Faces $19 Billion In Losses From 785 Hacks Over 13 Years:
https://www.oodaloop.com/briefs/2024/06/14/crypto-industry-faces-19-billion-in-losses-from-785-hacks-over-13-years/ - Alleged Boss of 'Scattered Spider' Hacking Group Arrested:
https://krebsonsecurity.com/2024/06/alleged-boss-of-scattered-spider-hacking-group-arrested/ - Empire Market owners charged for enabling $430M in dark web transactions:
https://www.bleepingcomputer.com/news/legal/empire-market-owners-charged-for-enabling-430m-in-dark-web-transactions/ - As Expected. Russian Disinformation Videos Smear Biden Ahead of U.S. Election:
https://www.nytimes.com/2024/05/15/us/politics/russia-disinformation-election.html? - Security bug lets anyone spoof Microsoft corporate email accounts:
https://techcrunch.com/2024/06/18/security-bug-allows-anyone-to-spoof-microsoft-employee-emails/?guccounter=1 - Did you know the U.S. has a Foreign Malign Influence Center (FMIC)?:
https://www.dni.gov/index.php/nctc-who-we-are/organization/340-about/organization/foreign-malign-influence-center? - Chinese Hackers Leveraged Legacy F5 BIG-IP Appliance for 3-year dwell-time Persistence:
https://www.securityweek.com/chinese-hackers-leveraged-legacy-f5-big-ip-appliance-for-persistence/ - AI Chatbot Fools Scammers & Scores Money-Laundering Intel:
https://www.darkreading.com/cyber-risk/ai-chatbot-fools-scammers-and-scores-money-laundering-intel - U.S. blacklists sale of Russia-based Kaspersky products over ties to Kremlin. Now extends to private sales!:
https://www.nextgov.com/cybersecurity/2024/06/us-blacklists-sale-russia-based-kaspersky-products-over-ties-kremlin/397503
- Virtual Vaca #1 - My Trip to the Nevada Valley of Fire and Red Rock Canyon:
https://www.youtube.com/watch?v=R5uknhQQRLE - Virtual Vaca #2 - Alaska Changing of the Seasons in 8K:
https://www.youtube.com/watch?v=mvbKNojXxW4 - Virtual Vaca #3 to the past! A Fascinating HD Virtual Journey Through Ancient Rome:
https://www.flixxy.com/a-virtual-journey-through-ancient-rome.htm?utm_source=4 - Gorgeous Planet Earth! in 12K HDR 120FPS Video - Dolby Vision:
https://youtu.be/qc6wtsDRb7g - Evolution of Fashion According to AI. The rest of this century is pretty cool!:
https://www.flixxy.com/evolution-of-fashion-according-to-ai.htm?utm_source=4 - People are moved by 'heart breaking' images from NASA which tell dozens of stories about our populations:
https://www.uniladtech.com/science/people-moved-by-nasa-heartbreaking-images-754527-20240618 - A Compilation of Mind-Blowing Goals Achieved:
https://youtu.be/LeEuQ6bksJE - Why Slovakia is Dismantling its Soviet-Era Nuclear Reactors:
https://youtu.be/31FzwWKvSOY - Pretty Awesome Eiger Ridge Wingsuit flight:
https://youtu.be/Mm_0mdivkjY - Mate Rimac Gives Us A Tour of The NEW Hybrid V-16 1775 HP Bugatti Tourbillon. I want one:
https://www.youtube.com/watch?v=NQFxotY_Jqk - Runway unveils new hyper realistic AI video model Gen-3 Alpha, capable of 10-second-long clips:
https://runwayml.com/blog/introducing-gen-3-alpha/ - For Da Kids #1 - Tiny Horse Takes Off Like A Rocket Ship When He Zooms:
https://youtu.be/zUf7cF2sWq0 - For Da Kids #2 - The octopus squid breaks the rules, having 8 arms instead of 10:
https://youtu.be/qPjftibuMpU - For Da Kids #3 - Silly Donkeys Play With Wheelbarrows And Make Family Laugh:
https://youtu.be/QAyGHZNJF2M - For Da Kids #4 - Pigeon loses ability to fly. He adapts by becoming one of the dogs:
https://youtu.be/mW1QcIAxth8 - For Da Kids #5 - Guy's epic response when starving deer shows up at door:
https://youtu.be/L18qZ1ZcvjI