CyberheistNews Vol 14 #33 | August 13th, 2024
Your Users Still Fall For Phishing Attacks Because of URL Shorteners
Analysis of current phishing attacks by security researchers has uncovered an increase in the use of trusted shortlink services.
To be successful, phishing scammers need to establish legitimacy as much and as early as possible.
Brand impersonation within an email has long been one method, but to establish legitimacy to security solutions, scammers have had to do more than just have a look-alike domain.
According to security researchers at Barracuda, a wave of phishing attacks is leveraging legitimate URL shortening services to add a layer of obfuscation to their malicious links in emails.
While some security solutions actually follow links to, and analyze, their final destination, many solutions simply look at the link itself. By using a shortlink, like those created by bit.ly that look similar to "bit[dot]ly[slash]FakeURL," solutions that take the link at face value will see it as legitimate.
Barracuda theorizes that threat actors are compromising credentials at these shortlink services to gain access and utilize them as part of phishing attacks.
There are really only two ways to counteract this:
- Employ security software solutions that traverse links and scan final web destinations for malicious content
- Teach users through continual new-school security awareness training to be vigilant each and every time they interact with an email, attachment, or a web link, not trusting the content or context in front of them and choosing to scrutinize before proceeding.
And because cybercriminals will continue to evolve their methods, both of these should be put and kept in place.
Blog post with links:
https://blog.knowbe4.com/phishing-attacks-continue-to-leverage-url-shorteners-to-obfuscate-malicious-links
[WEBINAR] 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Your secret weapon to combat cyber threats might be just under your nose! As cyber criminals continue to exploit tried and tested attack methods, while simultaneously upping their game with more advanced techniques, your human defense layer might be your ace in the hole.
But how resilient are your users when it comes to fending off these threats? We looked at 11.9 million users across 55,675 organizations to help you find out.
In this webinar Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, and Joanna Huisman, KnowBe4's Senior Vice President of Strategic Insights and Research, review our 2024 Phishing By Industry Benchmarking Study findings and best practices.
You will learn more about:
- New phishing benchmark data for 19 industries
- Understanding who's at risk and what you can do about it
- How to radically lower phish-prone percentage within 90 days
- Actionable tips to create your "human firewall"
- The value of new-school security awareness training
Do you know how your organization compares to your peers? Watch this webinar to find out!
Date/Time: TOMORROW, Wednesday, August 14 @ 2:00 PM (ET)
Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.
Save My Spot:
https://info.knowbe4.com/2024-phishing-insights?partnerref=CHN2
62% of Phishing Emails Bypassed DMARC Checks in 1H of 2024
A report from Darktrace has found that 62% of phishing emails in the first half of 2024 were able to bypass the DMARC verification checks in order to reach users' inboxes.
"Building on the insights from the 2023 End of Year Threat Report, an analysis of malicious emails detected by Darktrace / EMAIL in 2024 underscores the implication that email threats are increasingly capable of circumventing conventional email security tools," the report says.
"Notably, 62% of the 17.8 million phishing emails identified by Darktrace successfully bypassed Domain-based Message Authentication, Reporting, and Conformance (DMARC) verification checks."
Additionally, nearly 40% of phishing attempts in the first half of 2024 were targeted, indicating that threat actors are investing more effort into tailoring their attacks. The researchers also observed an increase in attacks that impersonated brands or VIPs.
"More interestingly still, in May and June alone, Darktrace identified 540,000 brand impersonation attempts (malicious email actors attempting to masquerade as trusted and reputable organizations to deceive recipients) and a further 240,000 emails attempting to impersonate a VIP at an organization.
"This trend towards impersonation and deception under the guise of a trusted company, or even a company executive, suggests threat actors are curating more bespoke and targeted email campaigns intended to target select organizations, or even individuals, more efficiently than traditional mass phishing attacks."
Notably, Darktrace observed a 59% increase in multistage phishing attacks, which "elicit recipients to follow a series of steps, such as clicking a link or scanning a QR code, before delivering a payload or attempting to harvest credentials." Since these attacks are more complex, they can more easily evade detection by security tools.
New-school security awareness training can give your organization an essential layer of defense by teaching your employees to recognize social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Blog post with links:
https://blog.knowbe4.com/62-of-phishing-emails-bypassed-dmarc-checks-in-h1-2024
Rip Malicious Emails With KnowBe4's PhishER Plus
Rip malicious emails out of your users' mailbox with KnowBe4's PhishER Plus! It's time to supercharge your phishing defenses using these two powerful features:
1) Automatically block malicious emails that your filters miss
2) Rip malicious emails from inboxes before your users click on them
With PhishER Plus you can:
- NEW! Detect and respond to threats faster with real-time web reputation intelligence with PhishER Plus Threat Intel, powered by Webroot!
- Use crowdsourced intelligence from more than 13 million users to block known threats before you're even aware of them
- Automatically isolate and "rip" malicious emails from your users' inboxes that have bypassed mail filters
- Simplify your workflow by analyzing links and attachments from a single console with the CrowdStrike Falcon Sandbox integration
- Automate message prioritization by rules you set and cut through your incident response inbox noise to respond to the most dangerous threats quickly
Join us for a live 30-minute demo of PhishER Plus, the #1 Leader in the G2 Grid Report for SOAR Software, to see it in action.
Date/Time: Wednesday, August 21, @ 2:00 PM (ET)
Save My Spot:
https://info.knowbe4.com/phisher-demo-2?partnerref=CHN
Prisoner Swap Includes Russian Hackers and KGB Assassin
Included among the U.S. prisoners being sent back to Russia in the swap are two prominent convicted hackers, both of whom were serving lengthy sentences, and a KGB assassin.
Because foreign hackers often operate from countries like Russia that lack extradition treaties with the U.S., they rarely face American courts, making their convictions significant wins for the Justice Department.
Vladislav Klyushin, a Russian national sentenced last year to nearly a decade in prison by a federal jury in Boston for hacking into corporate earnings databases to steal and trade on nonpublic information. U.S. officials noted Klyushin's "extensive ties" to the Russian president's office.
Roman Seleznev, the son of a Russian parliament member, was described by prosecutors as "one of the most prolific credit-card thieves in history." In 2016, he was convicted by a federal jury in Seattle for hacking into hundreds of businesses and selling stolen data online, leading to more than $169 million in fraud losses.
Vadim Krasikov, (picture) the Russian at the center of Thursday's high-profile prisoner swap, has been a top priority for the Kremlin in exchange negotiations for some time. Earlier this year, President Vladimir Putin hinted at a desire for such a trade to secure the release of a "patriot" detained in Germany. Krasikov was serving a prison sentence for murder.
Blog post with links and picture:
https://blog.knowbe4.com/prisoner-swap-includes-russian-hackers-and-kgb-assassin
[Whitepaper]: Overcoming The Phishing Tsunami: A Game-Changing Strategy For Stopping Phishing
Phishing attacks often feel like an unrelenting tsunami, flooding your org with a never-ending deluge of threats.
Traditional methods for analyzing and mitigating phishing attacks are manual, repetitive and error-prone. These workflows slow the speed at which you can mitigate a spear-phishing attack and increase the risk that phishing presents to your organization.
There is a better way. One that shifts the burden off your IT team to a unique, AI-powered system built from the ground up to automate the identification and prioritization of phishing threats and uses crowdsourced threat intelligence to improve accuracy and speed time to mitigation.
Read this whitepaper to learn:
- The five major challenges you'll face when manually reporting, analyzing and mitigating phishing attacks
- How the right SOAR product can provide finely-tuned, automated identification and mitigation of phishing emails
- Why the right SOAR product is crucial to your organization's incident response plan and supercharging your existing email security filters
Download Now:
https://info.knowbe4.com/wp-overcoming-the-phishing-tsunami-chn
[WHOA] - This 'Unpatch Attack' Is a New One to Me!
In a startling revelation at Black Hat 2024, SafeBreach security researcher Alon Leviev demonstrated a critical vulnerability in Windows systems, dubbed the "Windows Downdate" attack.
This exploit allows threat actors to forcibly downgrade fully updated Windows 10, 11, and Windows Server systems to older versions, reintroducing vulns that had been previously patched.
By exploiting zero-day vulnerabilities (CVE-2024-38202 and CVE-2024-21302), attackers can bypass security features like Credential Guard and Virtualization-Based Security, making a supposedly secure system susceptible to thousands of past exploits.
Despite being reported to Microsoft six months ago, no patch has been released, leaving users vulnerable. Microsoft has mitigation strategies until a fix is deployed.
Blog post with links:
https://blog.knowbe4.com/whoa-this-unpatch-attack-is-a-new-one-to-me
Not Just Us: More About "Kyle"
Our friends at Mandiant told us that because of our story they got multiple companies reaching out to them saying they accidentally hired North Koreans... and one company who hired the same person as us (!) and only realized it when they read our story...
Here is a story about a U.S. fraudster who enabled this type of crime and got arrested:
https://blog.knowbe4.com/not-just-us-north-korean-remote-it-fraudster-arrested-in-tennessee?
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: [BUDGET AMMO #1] Fighting Back Against Multi-Staged Ransomware Attacks Crippling Businesses:
https://www.securityweek.com/fighting-back-against-multi-staged-ransomware-attacks-crippling-businesses
PPS: [BUDGET AMMO #2] A Whopping 33% of Young American Are Exposed to Political Lies on TikTok:
https://blog.knowbe4.com/a-whopping-33-of-young-american-are-exposed-to-political-lies-on-tiktok
- George Orwell - Writer (1903 - 1950)
- Robert Heinlein, Sci-fi Author (1907 - 1988)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-14-33-your-users-still-fall-for-phishing-attacks-because-of-url-shorteners
AI Tools Have Increased the Sophistication of Social Engineering Attacks
The Cyber Security Agency of Singapore (CSA) has warned that threat actors are increasingly using AI to enhance phishing and other social engineering attacks, Channel News Asia reports. The CSA's report found that cybercriminals are selling tools that automate these attacks, allowing unskilled threat actors to launch sophisticated attacks.
"The malicious potential of AI has been compounded by an explosion of AI-powered tools available in underground forums," the CSA says. "Cybercriminals are peddling fake social media accounts and content generated by AI, as well as AI services to fully automate the maintenance of these accounts.
"Developers have also sold impersonation services that employ deepfake voices, and AI-generated spam that can bypass anti-spam and anti-phishing controls of popular webmail services."
The CSA cites a report from iProov that observed a 704% increase in the use of deepfakes for social engineering over the course of 2023. "Attempts to weaponise deepfake technology for scams or fraud will continue to grow, given the widespread accessibility of tools to create highly convincing deepfakes at a relatively low cost," the CSA says.
While these attacks have grown more sophisticated, the same security best practices can be used to defend against them. User awareness training can provide an essential layer of defense by teaching employees to recognize the hallmarks of social engineering.
"Conventional cyber hygiene measures remain largely relevant at mitigating the AI-enabled threats at present, and individuals and companies should continue to adopt these measures," the CSA says.
"For example, users should continue implementing tight access controls to their accounts [e.g. using strong passwords and multifactor authentication (MFA)], regularly updating software and patching vulnerabilities, and educating employees on how to recognise and handle cybersecurity threats."
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Channel News Asia has the story:
https://www.channelnewsasia.com/singapore/ai-phishing-attempts-cyber-attacks-technology-scams-deepfakes-ransomware-4506631
Malvertising Campaign Impersonates Google Authenticator
Researchers at Malwarebytes spotted a malvertising campaign that abused Google Ads to target people searching for Google Authenticator. If someone typed "Google Authenticator" into Google, the malicious ad would be at the top of the search results.
The ad copied the website description from the real Google Authenticator but would redirect users to a phishing site. "We can follow what happens when you click on the ad by monitoring web traffic," the researchers explain. "We see a number of redirects via intermediary domains controlled by the attacker, before landing on a fake site for Authenticator."
If a user clicks the download button, the site will install the DeerStealer malware. The researchers note that the malicious file is hosted on GitHub, making it more likely to bypass security tools.
"Hosting the file on GitHub allows the threat actor to use a trusted cloud resource, unlikely to be blocked via conventional means," the researchers write. "While GitHub is the de facto software repository, not all applications or scripts hosted on it are legitimate."
Malwarebytes concludes that users should be aware of this tactic so they can avoid falling for these attacks. "Threat actors have been abusing Google ads as a way to trick users into visiting phishing and malware sites," Malwarebytes says.
"Since the whole premise of these attacks relies on social engineering, it is absolutely critical to properly distinguish real advertisers from fake ones. As we saw in this case, some unknown individual was able to impersonate Google and successfully push malware disguised as a branded Google product as well.
"We should note that Google Authenticator is a well-known and trusted multi factor authentication tool, so there is some irony in potential victims getting compromised while trying to improve their security posture.
"We recommend avoiding clicking on ads to download any kind of software and instead visiting the official repositories directly."
Malwarebytes has the story:
https://www.malwarebytes.com/blog/news/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator
What KnowBe4 Customers Say
"Hello Rachel, Thank you for your time and guidance in walking me through the console. I really appreciate how clearly you explain things and suggest things that really help me with setting up campaigns for our users. Your insights are very helpful and you're also a pleasant person to talk to! Keep up the good work and look forward to our next discussions!"
- Y.B., System Admin
"Stu, Thank you for the personalized reach out. I did at first think it was an automated email! Thank you for that levity!
I've been a champion now of KB4 since 2019 when I first rolled it out to the hospital where I worked. At the time there were around 4000 users. The success of the program was such that when we brought in DHS to do some pen testing against us, one of the highlights of their testing was just a 2% Phish-prone percentage.
When we all "merged" into a larger health system, we were running different solutions. Very few solutions rolled up to the parent organization. However, I'd like to think (and I could be biased here a bit…) we easily bested the in place competition but once we shoved our horse into the race, it looked like a Secretariat movie!
Calling out sales rep Michael H., an excellent example of great people skills at work. Our current CSM Kim A. has been outstanding to work with. Very, very, happy to have her on our account.
In closing, I want to thank you and your team for providing us with the tools and the supporting cast we need to make our program a success story. Have a great day!"
- S.G., Associate Director Cybersecurity Governance [edited for brevity]
- Black Hat USA 2024 #1: Roundup and Notable Product Releases:
https://www.techrepublic.com/article/black-hat-def-con-roundup-2024/ - Black Hat USA 2024 #2: Five takeaways from Black Hat USA 2024:
https://www.scmagazine.com/perspective/five-takeaways-from-black-hat-usa-2024 - Black Hat USA 2024 #3: Cybersecurity innovations unveiled at Black Hat USA 2024:
https://www.baselinemag.com/news/cybersecurity-innovations-unveiled-at-black-hat-usa-2024/ - Nearly 40 French museums reportedly affected by ransomware attack:
https://therecord.media/french-museums-reportedly-affected-by-cyberattack - North Korean group infiltrated 100-plus companies with imposter IT pros:
https://www.csoonline.com/article/3481659/north-korean-group-infiltrated-100-plus-companies-with-imposter-it-pros.html? - INTERPOL Recovers $41 Million in Largest Ever BEC Scam in Singapore:
https://www.interpol.int/News-and-Events/News/2024/Police-recover-over-USD-40-million-from-international-email-scam - USPS Text Scammers Duped His Wife, So He Hacked Their Operation:
https://www.wired.com/story/usps-scam-text-smishing-triad/ - Ransomware attack cost LoanDepot nearly $27 million:
https://www.securityweek.com/ransomware-attack-cost-loandepot-27-million/ - NIS2 Directive in the EU: An imminent deadline, insufficient preparation:
https://www.itsecurityguru.org/2024/08/08/nis2-directive-in-the-eu-an-imminent-deadline-insufficient-preparation/ - Turning the screws: The pressure tactics of ransomware gangs:
https://news.sophos.com/en-us/2024/08/06/turning-the-screws-the-pressure-tactics-of-ransomware-gangs/
- Virtual Vaca #1 to Santorini, Greece in 4K HDR ULTRA HD 60 FPS Drone Video:
https://youtu.be/--NHxLD565k - Virtual Vaca #2 to Sydney, Australia - by drone [4K]:
https://youtu.be/UHGhj5aPX5M - Don McMillan's Engineering Comedy Masterpiece:
https://www.flixxy.com/don-mcmillan-engineering-comedy-masterpiece.htm?utm_source=4 - Introducing The Figure 02 car building robot. Dang:
https://youtu.be/0SRVJaOg9Co - The Ad You Can't Blink Through – A Masterpiece in Japanese Storytelling:
https://www.flixxy.com/the-ad-you-cant-blink-through-a-masterpiece-in-japanese-storytelling.htm?utm_source=4 - The Crazy Engineering of Venice. Discover how the Venetians transformed a muddy lagoon into a thriving metropolis:
https://youtu.be/77omYd0JOeA - Sinking An EV Motorcycle In The World's Deepest Pool:
https://youtu.be/ar2d0lc6vVA - The $1BN Race to Save Notre Dame From Collapse:
https://www.youtube.com/watch?v=vzHjTn-URAE - Colombian Highway skateboarding Madness. This guy is overtaking cars and probably breaking the speed limit!:
https://www.youtube.com/watch?v=N6IC80LfrNs - Blind Violence - Voldenosi / Intense Wingsuit Base Jump / Norway / 2024:
https://youtu.be/jwzGRdzRIbk - Watch The "History Of Cryptography" Documentary:
https://www.youtube.com/watch?v=4HCAOfBftV0 - For Da Kids #1 - Boat Crew Rescues Dog Stranded On Barbed Wire:
https://youtu.be/ECq4vbRYItE - For Da Kids #2 - Guy Didn't Know He Needed A Cat Until He Met The Perfect One:
https://youtu.be/XFJz8mZJsOY - For Da Kids #3 - My rescue dog turned out to be a jerk:
https://youtu.be/4I6eFwdCG-s - For Da Kids #4 - Micro horse Teddy runs too far from the house:
https://www.instagram.com/reel/C-Kq_rtOnGB/ - For Da Kids #5 - Majestic Lynx Caught on Camera: A Rare Close-Up Encounter in Northern Minnesota:
https://www.flixxy.com/majestic-lynx-caught-on-camera-a-rare-close-up-encounter-in-northern-minnesota.htm?utm_source=4