CyberheistNews Vol 14 #32 QR Code Phishing is Still on the Rise - The SEG is Dead



Cyberheist News

CyberheistNews Vol 14 #32  |  August 6th, 2024

QR Code Phishing is Still on the Rise - The SEG is DeadStu Sjouwerman SACP

Organizations need to be aware of the threat posed by QR code phishing (quishing), according to researchers at Trend Micro.

"Phishing emails continue to be the number one attack vector for organizations," the researchers write.

"A QR code phishing, or quishing attack, is a modern social engineering cyber attack technique manipulating users into giving away personal and financial information or downloading malware. It targets C-level executives and the highest strategic roles within a company."

Since QR codes don't use a text-based link, they can slip past email security filters to target humans directly. Humans likewise can't analyze the link itself before scanning the code.

The SEG is Dead

"Quishing can bypass traditional security email gateways, evading email filtering tools and identity authentication," Trend Micro says. "This allows cyberattacks to move from a protected email to the user's less secure mobile device, where cybercriminals can obtain confidential information, such as payment details, for fraudulent purposes.

"For instance, a malicious QR code hidden in a PDF or an image (JPEG/PNG) file attached to an email can bypass email security protection, such as filtering and flagging. This allows the email to be delivered directly to the user's inbox without being analyzed for clickable content."

Trend Micro says users should be on the lookout for the following red flags associated with QR codes:

  • "No context. Exercise caution if the QR code lacks context or appears out of place, such as QR codes randomly placed in a public area
  • Web links. Avoid sites accessed through QR codes that request payments. Instead, enter a known and trusted URL for transactions
  • Overlays. Be wary if the QR code is placed over existing signs or labels, as scammers may try to cover up legitimate information
  • Too much information: Be skeptical of QR codes that ask for excessive permissions (e.g., access to your camera, contacts, or location) beyond what is necessary"

Blog post with links and a free QR-code phishing test you can run:
https://blog.knowbe4.com/qr-code-phishing-is-still-on-the-rise

[BUDGET AMMO] "Email Threats Are Coasting Past SEGs, And CISOs Are Waking Up To It":
https://www.forbes.com/sites/forbestechcouncil/2024/07/26/email-threats-are-coasting-past-segs-and-cisos-are-waking-up-to-it/

[New Features] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, TOMORROW, August 7, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users:

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
  • NEW! 2024 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
  • Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test

Find out how 65,000+ organizations have mobilized their end users as their human firewall.

Date/Time: TOMORROW, Wednesday, August 7, @ 2:00 PM (ET)

Save My Spot!
https://info.knowbe4.com/kmsat-demo-2?partnerref=CHN2

Fortune 50 Ransomware Victim Pays an Eye-Watering $75 Million

The Dark Angels ransomware group got paid a staggering $75 million ransom from an undisclosed Fortune 50 victim.

This eye-watering sum shatters the previous record of $40 million paid by insurance giant CNA Financial in 2021, setting a new and alarming benchmark in the ransomware landscape.

The revelation comes from the latest ZScaler ThreatLabz ransomware report, which paints a grim picture of the current state of cybersecurity. Chainanalysis, a cryptocurrency tracking firm, also confirmed it spotted the $75 million payment to Dark Angels.

Focuses On One Large Company At A Time

Compared to other ransomware groups, Dark Angels stands out by focusing on a "single large company at a time," and demanding a high sum, Zscaler says. "This is in stark contrast to most ransomware groups, which target victims indiscriminately and outsource most of the attack to affiliate networks."

For instance, Zscaler reported that in September 2023, Dark Angels breached an international conglomerate specializing in building automation systems and other services. The group stole 27 TB of corporate data while encrypting the company's VMware ESXi virtual machines and subsequently demanded a $51 million ransom.

93 Percent Increase in Ransomware Attacks Targeting the U.S

According to the report, global ransomware attacks have surged by 18% YoY, with healthcare, manufacturing and technology sectors bearing the brunt of these malicious activities. Particularly concerning is the manufacturing sector, which has experienced more than double the attacks compared to the other two industries combined.

Geographically, the United States remains the prime target for ransomware attacks, accounting for nearly half of all incidents worldwide. The UK follows closely behind. What is even more alarming is the 93% increase in ransomware attacks targeting the U.S. compared to the previous year, highlighting the urgent need for improved cybersecurity measures across the nation.

The Impact of Major Ransomware Groups

While the Dark Angels group may not be a household name like some of their more notorious counterparts, their recent payday certainly puts them in the spotlight. The cybercrime landscape is constantly shifting, with new groups emerging and others fading away. ZScaler has tracked a total of 391 ransomware gangs over the years, with 19 new ones identified between April 2023 and April 2024 alone.

Despite law enforcement efforts to disrupt their operations, established ransomware groups continue to dominate the scene. LockBit remains at the top of the list, followed by BlackCat (ALPHV), 8Base, Play, and Clop. These groups consistently demonstrate their ability to adapt and evolve, staying one step ahead of security measures.

The record-breaking ransom paid to the Dark Angels group serves as a stark reminder of the critical importance of security awareness and training. As ransomware attacks grow in both frequency and severity, organizations must prioritize educating their employees about potential threats and best practices for prevention.

Looking Ahead: 2025 Predictions

  • As ransomware threats evolve, several key trends are set to shape the cybersecurity industry in 2025, as highlighted in the ransomware report. Among these trends, one section that caught everyone's attention is the rise of highly targeted attack strategies. Groups like Dark Angels are setting a precedent by focusing on a few high-value targets for substantial ransoms, which may influence other threat actors to adopt similar approaches.
  • Another trend is the use of voice-based social engineering by specialized initial access brokers such as Scattered Spider, who will likely continue to exploit this tactic to infiltrate corporate networks.
  • Generative AI is expected to play a significant role in ransomware attacks, enabling threat actors to create more convincing and personalized attacks, including AI-generated email and voice impersonations.
  • High-volume data exfiltration attacks, which exploit the fear of data leaks rather than relying on encryption are expected to rise. The healthcare sector will remain a prime target due to its valuable data, necessitating enhanced security measures.

International collaboration is crucial in disrupting global ransomware networks and combating cybercrime effectively. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/dark-angels-ransomware-group-scores-record-breaking-75-million-payday

[WEBINAR] 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Your secret weapon to combat cyber threats might be just under your nose! As cybercriminals continue to exploit tried and tested attack methods, while simultaneously upping their game with more advanced techniques, your human defense layer might be your ace in the hole.

But how resilient are your users when it comes to fending off these threats? We looked at 11.9 million users across 55,675 organizations to find out.

In this webinar Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, and Joanna Huisman, KnowBe4's Senior Vice President of Strategic Insights and Research, review our 2024 Phishing By Industry Benchmarking Study findings and best practices.

You will learn more about:

  • New phishing benchmark data for 19 industries
  • Understanding who's at risk and what you can do about it
  • How to radically lower Phish-prone™ Percentages within 90 days
  • Actionable tips to create your "human firewall"
  • The value of new-school security awareness training

Do you know how your organization compares to your peers? Watch this webinar to find out!

Date/Time: Wednesday, August 14 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot:
https://info.knowbe4.com/2024-phishing-insights?partnerref=CHN

Nearly All Ransomware Attacks Now Include Exfiltration of Data…But Not All Are Notified

Organizations are falling victim to ransomware attacks where data is stolen, but the victim isn't being told about it. I have a theory as to why this is happening.

Many assume data is being exfiltrated as part of a ransomware attack and it's going to be used as part of the extortion component of the attack. But according to Arctic Wolf's The State of Cybersecurity: 2024 Trends Report, that doesn't seem to be the case.

I recently covered that ransomware is now felt by 91% of organizations — half of them within the last 12 months, according to Arctic Wolf. But, of the victim organizations, only 57% were notified of the data exfiltration by the ransomware perpetrators!

I believe the reason for this is espionage.

I also recently talked about how espionage-intent threat groups are using ransomware as a diversion tactic in cyber attacks. In essence, the goal is to steal secrets, but to cover their tracks, threat actors launch ransomware.

But, regardless of the motivation, the lack of notification can just as easily be motivated by maintaining persistence to sell the access to another threat group. Regardless of the reason, all this makes the case of why it's critical to ensure your organization has the highest level of controls in place — which should include new-school security awareness training.

Blog post with links:
https://blog.knowbe4.com/nearly-all-ransomware-attacks-now-include-exfiltration-of-data-but-not-all-are-notified

KnowBe4 Establishes August 6 as National Social Engineering Day

We are excited to announce the establishment of National Social Engineering Day, to be observed annually on August 6. This new national day, officially recognized by the National Day Calendar, aims to educate individuals and organizations about the risks associated with social engineering tactics used in cyber attacks.

Cybercriminals leverage social engineering tactics in an estimated 98% of cyber attacks, averaging over $4.5 million in damages.

The establishment of National Social Engineering Day serves as a crucial reminder that cybersecurity is not just about technology — it's about people. By founding National Social Engineering Day, we're creating an annual reminder for everyone to stay vigilant and informed about the evolving tactics used by cybercriminals.

It's a phishy social engineering ocean out there and we need to equip ourselves with the right technology and knowledge to navigate it safely. By educating ourselves and our teams, we can transform the human element from the weakest link to the strongest defense against cyberthreats.

The inaugural National Social Engineering Day will take place on August 6, 2024, coinciding with the birthday of the late Kevin Mitnick, renowned hacker and former Chief Hacking Officer of KnowBe4. Mitnick, often referred to as the world's most famous social engineer, played a significant role in shaping the cybersecurity landscape.

Read The Full Press Release:
https://www.knowbe4.com/press/knowbe4-establishes-august-6-as-national-social-engineering-day


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Forbes chose my article as an Editor's Choice: "Five Steps To Decoding AI-Powered Impersonation Attacks":
https://www.forbes.com/sites/forbestechcouncil/2024/06/21/five-steps-to-decoding-ai-powered-impersonation-attacks/

PPS: A great article in Information Week about Our North Korean IT Worker Lessons:
https://www.informationweek.com/cyber-resilience/what-can-be-learned-from-knowbe4-s-north-korean-it-hire-

Quotes of the Week  
Did they know about the OODA Loop 2,000 years ago? Check this out!

"Try not to react merely in the moment. Pull back from the situation. Take a wider view. Compose yourself."
- Epictetus, a Greek philosopher (55 - 135 AD)

And also from Epictetus:

"It is impossible to begin to learn that which one thinks one already knows."

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-14-32-qr-code-phishing-is-still-on-the-rise-the-seg-is-dead

Security News

Scammers Exploit Interest in Generative AI Tools

Researchers at Palo Alto Network's Unit 42 are tracking phishing attacks exploiting interest in generative AI tools. The researchers observed spikes in suspicious domain registrations over the past year that correlated with current news.

"The domain registration trend is clearly correlated to the fluctuating popularity of the topic, with data peaks aligning with major ChatGPT milestones," the researchers write.

"Following Microsoft's announcement of ChatGPT integration with Bing on Feb. 7, 2023, we observed a surge in the number of new domains where many of them contain both trademarks (e.g., msftchatgpt[.]com). Another significant spike occurred on March 14, 2023, coinciding with the official release of GPT-4.

The next peak corresponds to the announcement of new GPTs on Nov. 6, 2023, during which numerous related domains, like gptsotre[.]com, were registered."

The term "gpt" is used by the majority of these sites, since ChatGPT is one of the most well-known generative AI tools.

"The most abused keyword is gpt, whose suspicious rate is 76%," the researchers explain. "This word, though not exclusively related to the GenAI topic, demonstrates a significant correlation with it. After filtering out domains unrelated to GenAI, this term was rarely used for domain creation prior to 2023, while its popularity surged along with the GenAI trend."

The researchers also observed many suspicious domains themed around tutorials for prompt engineering.

"As interest in GenAI grows and more people seek to become experts in its use, prompt engineering emerges as a hot topic," Unit 42 says. "We also observed that 'prompt' frequently coexists with 'gpt' and 'engineering' in domain names. Our findings suggest that people must exercise caution when visiting websites offering tutorials on prompt engineering, as a significant percentage of them are shady."

Blog post with links:
https://blog.knowbe4.com/scammers-exploit-interest-in-generative-ai-tools

Spear Phishing Poses Significant Risks For Companies of All Sizes

Researchers at Barracuda have published a report looking at the phishing attack surfaces of companies of different sizes, finding that smaller companies tend to receive a higher rate of phishing attacks spread across the organization.

This is likely due to the smaller number of potential targets and the higher level of access possessed by each employee. At larger organizations, spear phishing attacks generally focus on specific, high-value targets, such as executives or employees with access to financial decisions.

"Smaller companies tend to have flatter organizational structures with easier access to names or contact details," Barracuda explains. "This could mean that attackers can target a wide range of employees. Due to their smaller size, they are also likely to have more people with privileged access to data and systems.

"There are fewer degrees of separation between employees, enabling attackers to move laterally quickly. As a result, inbound attack emails are more evenly distributed across the business and could target the intern as well as the CEO."

Phishing remains a top threat for large organizations as well. Barracuda found that attacks against large companies often involve lateral phishing, in which threat actors use compromised accounts to send phishing emails to other accounts within the organization.

"Just under half (42%) of the targeted email attack detections in the largest companies involved lateral phishing, compared to only 2% for the smallest orgs," the researchers write. "This internal attack vector is a major risk for large businesses. The prevalence of account compromises among larger businesses may reflect the fact that credentials for many companies are likely already available for purchase on the dark web, making lateral phishing a straightforward attack."

New-school security awareness training can give your organization an essential layer of defense against social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day.

Barracuda has the story:
https://blog.barracuda.com/2024/07/30/threat-spotlight-company-size-email-threats

What KnowBe4 Customers Say

"I wanted to let you know how impressed I am with your colleague Truett. He reached out for a general client update, and also gave me a short demo which was terrific. Super friendly, client facing and knowledgeable. He also offered to help us (internally) with optimizing the platform if we choose to do so. Have a terrific holiday!"

- R.S., Senior Regional Director


Hey Stu,

I'm reaching out to you to share my incredible experience with our account rep, JennB. My name is Derek, I'm our IT Coordinator and am currently the point person for all things KnowBe4 at my organization. We began our journey with KnowBe4 somewhere around February 2023 and have had Jenn as our account rep since October 2023.

In between that time, we lost our IT Director and a lot of his work fell onto my plate, including the setup, launch, and maintenance of KnowBe4. I can honestly say that Jenn has been my absolute favorite account rep to work with during my time here and she has done incredible work to make sure we are utilizing your platform to the best of our abilities.

When we originally got KnowBe4, our Director set up one single phishing test and that's about it. When he left, I made a push to make KnowBe4 something our org uses on a regular basis. Shortly after, Jenn scheduled some time for us to chat and make sure we were happy with our experience.

When I explained our situation and what we were trying to accomplish, Jenn guided us through much of the setup of KnowBe4, and scheduled multiple additional meetings to make sure we were accomplishing our goals and provided support when we had questions.

She helped review our setup policies and procedures, gave us tips on best practices and common use cases, and gave multiple demos to showcase what the platform could do for us. When we had technical issues, Jenn partnered with other teams at your org to resolve them within 24 hours.

When I told her that we had a company retreat coming up, she mailed us a big box of swag. When that package had been sent to the wrong address, Jenn made sure another one was on the way that same day.

I am so over-the-moon happy with our relationship with KnowBe4. Your product is incredible: Since our launch, we have run 7-8 phishing campaigns, and our annual cybersecurity training. Our phish-prone percentage is currently 1.9%! Additionally, the service and compassion Jenn has shown to us over the past 9 months has been nothing short of spectacular.

I literally asked her for your email address so I could share my experience with you. Please, I'm begging you, find some way to recognize this hard-working girl. She really cares about what you do at KnowBe4 and the benefits it provides small companies like us.

I'm happy to chat more if you're interested. If there's anything I can do for Jenn on my end, please let me know. I hope you have a great weekend!

- S.D. IT Coordinator

The 10 Interesting News Items This Week
  1. WIRED: A North Korean Hacker Tricked a US Security Vendor Into Hiring Him—and Immediately Tried to Hack Them:
    https://www.wired.com/story/north-korean-hacker-hired-ecurity-company-malware/?

  2. Ferrari exec foils deepfake scammer:
    https://fortune.com/2024/07/27/ferrari-deepfake-attempt-scammer-security-question-ceo-benedetto-vigna-cybersecurity-ai/

  3. Posing as 'Alicia,' This Man Scammed Hundreds Online. He Was Also a Slave:
    https://www.wsj.com/world/asia/cyberscams-human-trafficking-forced-labor-ba2c6c1a?

  4. Man Bites Dog: Ukraine Hacked Russian Banks, Leading Major Disruption:
    https://gbhackers.com/ukraine-hacked-russian-banks/

  5. Average cost of a data breach rises to $4.88 million:
    https://newsroom.ibm.com/2024-07-30-IBM-Report-Escalating-Data-Breach-Disruption-Pushes-Costs-to-New-Highs

  6. How Infostealers Pillaged the World's Passwords:
    https://www.wired.com/story/infostealer-malware-password-theft/

  7. AI-Powered Deepfake Tools Becoming More Accessible Than Ever:
    https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/surging-hype-an-update-on-the-rising-abuse-of-genai

  8. Ransomware attack on major US blood center prompts hundreds of hospitals to implement shortage protocols:
    https://therecord.media/ransomware-attack-blood-center-shortage-protocols-hospitals

  9. CISA names Lisa Einstein as first chief AI officer:
    https://www.nextgov.com/people/2024/08/cisa-names-lisa-einstein-first-chief-ai-officer/398512/

  10. Prisoner Swap Includes Russian Hackers and KGB Assassin:
    https://blog.knowbe4.com/prisoner-swap-includes-russian-hackers-and-kgb-assassin

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews