CyberheistNews Vol 14 #34 [HEADS UP] Real Social Engineering Attack on KnowBe4 Employee Foiled



Cyberheist News

CyberheistNews Vol 14 #34  |   August 20th, 2024

[HEADS UP] Real Social Engineering Attack on KnowBe4 Employee FoiledStu Sjouwerman SACP

David B., the KnowBe4 VP of Asia Pacific and Japan, recently experienced a sophisticated social engineering attack via WhatsApp.

Late one evening, David received a call from someone impersonating Ani, KnowBe4's CHRO.

It started as a phone call, but intentionally set up so that the "connection was bad" and the call kept dropping. So, David never really heard someone speaking, just background noise. Which led to the bad actor explaining he was on a flight, and requesting to do text because the "onboard wi-fi was apparently not allowing WhatsApp audio or video."

Although it was unusual for Ani to call at such hours, David did not immediately suspect foul play due to the current busy period. When they connected through text, the impersonator asked if David had any contacts at DBS Bank in Singapore to assist with an urgent financial matter.

The impersonator explained that they needed to wire funds for a family medical emergency, but the transfer was delayed by 48 hours. The request was not for money directly, but the impersonator mentioned an amount that quickly dropped when David said he'd like to help but he didn't have those funds, raising his suspicions.

Additionally, the caller addressed David by name instead of his usual friendly nickname that Ani typically used. David joked about needing to hit the "PAB" (Phish Alert Button) on this message, which was met with confusion by the impersonator.

To further verify, David asked about a dinner plan in Singapore, knowing Ani's love for a local dish, but the impersonator could not respond appropriately. David then confirmed with the real Ani through Slack that he had not made the request, ending the conversation with the scammer, and reporting the incident to WhatsApp. It's a good thing he was trained to spot attacks like this.

Here is the actual conversation. Blog post with link and WhatsApp thread:
https://blog.knowbe4.com/real-social-engineering-attack-on-knowbe4-employee-foiled

Rip Malicious Emails With KnowBe4's PhishER Plus

Rip malicious emails out of your users' mailbox with KnowBe4's PhishER Plus! It's time to supercharge your phishing defenses using these two powerful features:

1) Automatically block malicious emails that your filters miss
2) Rip malicious emails from inboxes before your users click on them

With PhishER Plus you can:

  • NEW! Detect and respond to threats faster with real-time web reputation intelligence with PhishER Plus Threat Intel, powered by Webroot!
  • Use crowdsourced intelligence from more than 13 million users to block known threats before you're even aware of them
  • Automatically isolate and "rip" malicious emails from your users' inboxes that have bypassed mail filters
  • Simplify your workflow by analyzing links and attachments from a single console with the CrowdStrike Falcon Sandbox integration
  • Automate message prioritization by rules you set and cut through your incident response inbox noise to respond to the most dangerous threats quickly

Join us for a live 30-minute demo of PhishER Plus, the #1 Leader in the G2 Grid Report for SOAR Software, to see it in action.

Date/Time: TOMORROW, Wednesday, August 21, @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/phisher-demo-2?partnerref=CHN2

[PROVED] Unsuspecting Call Recipients Are Super Vulnerable to AI Vishing

By Perry Carpenter

Heads-up: I just proved that unsuspecting call recipients are super vulnerable to AI vishing

So, this is pretty exciting… and terrifying. If you attended my "Reality Hijacked" webinar back in May, you saw me do a quick demonstration of a couple AI-powered vishing bots that I'd been working on.

That experiment got its first real "live fire" test this past Saturday at the DEFCON Social Engineering Village capture the flag (CTF) competition. Well, actually, they created an inaugural event titled the "John Henry Competition" just for this experiment. The goal was to put the AI to the test.

To answer the question: can an AI-powered voice phishing bot really perform at the level of an experienced social engineer?

The answer: DEFINITELY.

The AI's performance in its debut was impressive. The bots engaged in banter, made jokes, and were able to improvise to keep their targets engaged. By the end of our allotted 22 minutes, the AI-driven system captured 17 objectives while the human team gathered 12 during their 22-minute allotment.

But here's where it gets interesting. Everyone in the room naturally assumed the bots had won — even the other contestants. The bots were picking-up flags so fast and obviously got more. But even though our AI bots managed to gather more flags, the human team won — by a hair (1,500 pts vs. 1450 pts).

This was one of those contest results that shocked everyone. What clenched it for the human team was an amazing pretext that allowed them to secure higher point-value flags at the very beginning of the call vs building up to those higher value objectives.

But now think about it. The difference wasn't that the targets trusted the humans more. It wasn't that they somehow suspected that the AI was an AI. It came down to strategy and pretext… something that can be incorporated into the LLM's prompt. And that's where things get real.

Here are a few points of interest:

  • The backend of what we used was all constructed using commercially available, off-the-shelf SaaS products, each ranging from $0 to $20 per month. This reality ushers in a new era where weapons-grade deception capabilities are within reach of virtually anyone with an internet connection.
  • The LLM prompting method we employed for the vishing bots didn't require any "jailbreaking" or complex manipulation. It was remarkably straightforward. In fact, I explicitly told it in the prompt that it was competing in the DEFCON 32 Social Engineering Village vishing competition.
  • The prompt engineering used was not all that complex. Each prompt used was about 1,500 words and was written in a very straightforward manner.
  • Each of the components being used was functioning within what would be considered allowable and "safe" parameters. It is the way they can be integrated together — each without the other knowing — that makes it weaponizable.
  • None of the targets who received calls from the bots acted with any hesitancy. They treated the voice on the other end of the phone as if it were any other human caller.

We're Facing a Raw Truth

AI-driven deception can operate at an unprecedented scale, potentially engaging thousands of targets simultaneously. These digital deceivers never fatigue, never nervously stumble, and can work around the clock without breaks. The consistency and scalability of this technology present a paradigm shift in the realm of social engineering.

Perhaps most unsettling was the AI's ability to pass as human. The individuals on the receiving end of these calls had no inkling they were interacting with a machine. Our digital creation passed the Turing test in a real-world, high-stakes environment, blurring the line between human and AI interaction to an unprecedented degree.

My Conversations with a GenAI-Powered Virtual Kidnapper

The following day, I gave a talk at the AI Village titled "My Conversations with a GenAI-Powered Virtual Kidnapper." The session was standing room only, with attendees spilling over into the next village, underscoring the intense interest in this topic.

During this talk, I demonstrated a much darker, fully jailbroken bot capable of simulating a virtual kidnapping scenario (this is also previewed in my "Reality Hijacked" webinar). I also discussed some of the interesting quirks and ways that I interacted with the bot while testing its boundaries.

The implications of this more sinister application of AI technology are profound and warrant their own discussion in a future post.

Since the demonstration and talk, I've been encouraged by the number of companies and vendors reaching out to learn more about the methods and vulnerabilities that enabled the scenarios I showcased. These conversations promise to be fruitful as we collectively work to understand and mitigate the risks posed by AI-driven deception.

This Competition Serves as a Wake-up Call

So, here's where we are: This competition and the subsequent demonstrations serve as a wake-up call. We're not just theorizing about potential future threats; we're actively witnessing the dawn of a new era in digital deception. The question now isn't if AI can convincingly impersonate humans, but how we as a society will adapt to this new reality.

If you're interested in topics like these and want to know what you can do to protect yourself, your organization, and your family, then consider checking out my new book, "FAIK: A Practical Guide to Living in a World of Deepfakes, Disinformation, and AI-Generated Deceptions."

The book offers strategies for identifying AI trickery and maintaining personal autonomy in an increasingly AI-driven world. It's designed to equip readers with the knowledge and tools necessary to navigate this new digital landscape. (Available on October 1st, with pre-orders open now).

Blog post with links here. Forward this post to any friend that needs to know:
https://blog.knowbe4.com/proved-unsuspecting-call-recipients-are-super-vulnerable-to-ai-vishing

[Free Resources] Prepare for Cybersecurity Awareness Month 2024 with the Help of KnowBe4

Cybersecurity Awareness Month is coming soon, and we've got your back!

Threats to your organization can come in many forms; from a suspicious email with a dodgy attachment to improperly stored sensitive information.

But never fear! The team featured in KnowBe4's award-winning, streaming-quality educational series "The Inside Man," is here to lend a helping hand. Our 2024 Cybersecurity Awareness Month resource kit delivers an immersive, multimedia cybersecurity awareness training experience centered around the gripping original series "The Inside Man."

With weeks' worth of training content, suggested campaign ideas and a web-based planner, this kit has what you need to run an engaging security awareness training campaign for an entire month!

Learn more about the kit and download here:
https://www.knowbe4.com/resources/free-cybersecurity-resource-kits/cybersecurity-awareness-month-kit-chn

File-Sharing Phishing Attacks Increased by 350% Over the Past Year

File-sharing phishing attacks have skyrocketed over the past year, according to a new report from Abnormal Security.

"In file-sharing phishing attacks, threat actors exploit popular platforms and plausible pretexts to impersonate trusted contacts and trick employees into disclosing private information or installing malware," the report says.

"A complex and escalating threat, file-sharing phishing attacks increased by 350% year-over-year, with financial organizations and built environment firms being the most targeted."

File-sharing attacks are designed to impersonate common business tools like file-hosting services or e-signature solutions. The researchers note that these attacks blend in with normal business activities.

"Sharing files and documents via email is a common practice for organizations in every industry. While the themes of some phishing attacks are likely to raise at least a little suspicion (such as unsolicited, too-good-to-be-true job offers or an email from the CEO requesting $500 in gift cards), the pretext of file-sharing phishing attacks is perfectly ordinary and, therefore, inherently believable.

"Depending on their approach, an attacker often doesn't even need to invest considerable effort in establishing a plausible pretense beyond selecting a relevant name for the bogus file."

Abnormal Security also observed a 50% increase in business email compromise attacks in the first half of 2024 compared to H1 2023.

"Business email compromise (BEC) and vendor email compromise (VEC) are specifically designed to circumvent both users' common sense and conventional security measures.

"Utilizing social engineering and text-based emails with no traditional indicators of compromise allows cybercriminals to evade legacy email security solutions and manipulate targets. This one-two punch has brought attackers continued success and is likely why BEC and VEC have maintained their momentum."

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/file-sharing-phishing-attacks-increased-by-350-over-the-past-year

Can You Be Spoofed?

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

This is how "CEO fraud" spear-phishing attacks are launched on your organization. Such attacks are hard to defend against, unless your users know what to look for.

Are your email servers vulnerable to spoofing? KnowBe4 can help you find out with our free Domain Spoof Test. It's quick, easy and often a shocking discovery.

Find out now if your email server is configured correctly, many are not!

  • This is a simple, non-intrusive "pass/fail" test
  • We will send a spoofed email "from you to you"
  • If it makes it through into your inbox, you know you have a problem
  • You'll know within 48 hours!

Try to Spoof Me!
https://info.knowbe4.com/domain-spoof-test-1-chn


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [BUDGET AMMO #1]Five Offbeat Phishing Schemes To Know: New Twists On Classic Scams:
https://www.forbes.com/councils/forbestechcouncil/2024/08/14/five-offbeat-phishing-schemes-to-know-new-twists-on-classic-scams/

PPS: [BUDGET AMMO #2] Healthcare under siege: The cascading impact of cyberattacks:
https://www.fastcompany.com/91171326/healthcare-under-siege-the-cascading-impact-of-cyberattacks

Quotes of the Week  
"When the whole world is running toward a cliff, he who is running in the opposite direction appears to have lost his mind."
- C.S. Lewis, Writer and Professor (1898 - 1963)

"When your education limits your imagination, it's called indoctrination."
- Nikola Tesla, Inventor and Physicist (1845 - 1943)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-14-34-heads-up-real-social-engineering-attack-on-knowbe4-employee-foiled

Security News

Iran Launches Spear Phishing Attacks Against U.S. Presidential Campaigns

Researchers at Google's Threat Analysis Group (TAG) warn that Iranian state-sponsored threat actors are launching spear phishing attacks against U.S. presidential campaigns. The Trump campaign disclosed last week that it had been hacked by "foreign sources hostile to the United States," pointing the finger at Iran.

TAG says APT42, a threat actor tied to Iran's Islamic Revolutionary Guard Corps (IRGC), has targeted both the Trump and Biden-Harris campaigns over the past few months.

"In the current U.S. presidential election cycle, TAG detected and disrupted a small but steady cadence of APT42's Cluster C credential phishing activity," the researchers write. "In May and June, APT42 targets included the personal email accounts of roughly a dozen individuals affiliated with President Biden and with former President Trump, including current and former officials in the U.S. government and individuals associated with the respective campaigns.

"We blocked numerous APT42 attempts to log in to the personal email accounts of targeted individuals. Recent public reporting shows that APT42 has successfully breached accounts across multiple email providers. We observed that the group successfully gained access to the personal Gmail account of a high-profile political consultant."

The threat actor relies on social engineering to compromise its targets, often impersonating entities or individuals that are familiar to the victims.

"In phishing campaigns that TAG has disrupted, APT42 often uses tactics like sending phishing links either directly in the body of the email or as a link in an otherwise benign PDF attachment," the researchers write. "In such cases, APT42 would engage their target with a social engineering lure to set-up a video meeting and then link to a landing page where the target was prompted to login and sent to a phishing page.

One campaign involved a phishing lure featuring an attacker-controlled Google Sites link that would direct the target to a fake Google Meet landing page. Other lures included OneDrive, Dropbox and Skype."

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Google has the story:
https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/

Attackers Abuse Google Drawings to Host Phishing Pages

Researchers at Menlo Security warn that a phishing campaign is exploiting Google Drawings to evade security filters.

The phishing emails inform the user that their Amazon account has been suspended, instructing them to click on a link in order to update their information and reactivate their account.

The phishing page is crafted with Google Drawings, which makes it more likely to fool humans while evading detection by security technologies. "This graphic is actually hosted in Google Drawings, part of the Google Workspace suite, that allows users to collaborate on graphics," the researchers write.

"Such a site is not typically blocked by traditional security tools. Another thing that makes Google Drawings appealing in the beginning of the attack is that it allows users (in this case, the attacker) to include links in their graphics. Such links may easily go unnoticed by users, particularly if they feel a sense of urgency around a potential threat to their Amazon account."

The attackers are also abusing link shorteners to further increase the chances that the phishing link will bypass security filters.

"We believe that ‘l[.]wl[.]co' was chosen because shortened WhatsApp links created with this service do not present any type of warning to the user that they are being redirected to a different site altogether," the researchers note.

"As an extra precautionary measure, the link created with the WhatsApp URL shortener is then appended with another URL shortener, "qrco[.]de," which is a URL shortener service for dynamic QR codes. We believe that this second step is designed to obfuscate the original link still further, in an effort to evade security URL scanners."

Blog post with links:
https://blog.knowbe4.com/attackers-abuse-google-drawings-to-host-phishing-pages

What KnowBe4 Customers Say

"Stu, Erika provided your contact to me so that I could tell you how much we have appreciated working with her. First of all, she has been delightful in her attitude - she always has a smile on and it is reflected in her voice.

She has been eager to get our phish and training programs going and to train us on administration of them. She has answered our questions gladly and even answered questions we didn't know we had based on issues she anticipated we would encounter.

We have asked her to help us set up some more complicated programs and she has always had good ideas and suggestions to get those requests implemented.

All of this is just to say that I am grate for Erika and that she was assigned to be our success manager. I have told my VP and others who care to listen how impressed I am with KB4 in general and Erika specifically. I want you to hear that from me as well."

- J.W., Director of Information Technologies


"Hi Stu, I've been a customer of KnowBe4 for nearly 10 years now (across 2 companies). Been a great ride...Our employees are better off as a result of the training, even though they don't like getting phished! Keep up the great work! Thank you!"

- B.L., CIO

[My Comment] I suggest you position it as a Cyber Hero Training game that teaches them to be safe on the internet in the office but also keep their family safe at the house! Here is a video that shows how this work: https://support.knowbe4.com/hc/en-us/articles/360016839414-Video-Cyber-Hero-Training-Leaderboards

The 10 Interesting News Items This Week
  1. [PROVED] Unsuspecting Call Recipients Are Super Vulnerable to AI Vishing:
    https://blog.knowbe4.com/proved-unsuspecting-call-recipients-are-super-vulnerable-to-ai-vishing

  2. FBI disrupts the Dispossessor ransomware operation, seizes servers:
    https://www.bleepingcomputer.com/news/security/fbi-disrupts-the-dispossessor-ransomware-operation-seizes-servers/

  3. Hackers posing as Ukraine's Security Service infect 100 govt PCs:
    https://www.bleepingcomputer.com/news/security/hackers-posing-as-ukraines-security-service-infect-100-govt-pcs/

  4. Ransom Cartel, Reveton ransomware owner arrested, charged in US:
    https://www.bleepingcomputer.com/news/security/ransom-cartel-reveton-ransomware-owner-arrested-charged-in-us/

  5. 2024 is banner year for ransomware payments. Manual techniques are fueling attacks:
    https://www.cybersecuritydive.com/news/manual-techniques-fuel-ransomware/724472/

  6. This crafty ransomware uses an unusual social-engineering tactic to gain access to victim systems:
    https://www.techradar.com/pro/security/this-crafty-ransomware-uses-an-unusual-social-engineering-tactic-to-gain-access-to-victim-systems

  7. Carbon black supplier Orion loses $60 million in business email compromise scam:
    https://therecord.media/orion-carbon-black-bec-scam-millions

  8. DARPA Announces AI Cyber Challenge Finalists:
    https://www.darkreading.com/application-security/darpa-announces-ai-cyber-challenge-finalists

  9. Social engineering campaign offers malicious tech support:
    https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/

  10. Crypto Investment scam uses deepfakes of UK Prime Minister and Prince William:
    https://www.bitdefender.com/blog/hotforsecurity/uk-prime-minister-keir-starmer-and-prince-william-deepfaked-in-investment-scam-campaign/

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews