CyberheistNews Vol 14 #36 KnowBe4 Expands Children's Interactive Cybersecurity Activity Kit for 2024/2025 School Year



Cyberheist News

CyberheistNews Vol 14 #36  |   September 4th, 2024

KnowBe4 Expands Children's Interactive Cybersecurity Activity Kit for 2024/2025 School YearStu Sjouwerman SACP

Can you believe it's already back-to-school time for many? Where has the summer gone?

We are committed at KnowBe4 to providing content for students of all ages to help them stay safe and maybe get them interested in a career in cybersecurity in the future.

For example, we launched our successful KnowBe4 Student Edition last spring for students over the age of 16 that included training materials focused on topics that are relevant for young adults.

For students under 16, the KnowBe4 Children's Interactive Cybersecurity Activity Kit is available for free to schools, teachers and parents. This kit is linked below. Consider telling the teachers in your children's school.

New School Year, New Content

We are excited to announce this latest update to the kit, which includes a new training module and some great updated features.

We have been adding fresh resources to this kit each school year, including an AI safety video, a password video game, a cybersecurity activity book, and middle school lesson plans. We have even more planned for the upcoming school year.

Last year we launched our groundbreaking Roblox game called KnowBe4 Hack-A-Cat, where students can play a game on the popular platform and learn about things like phishing, ransomware and other cybersecurity-related topics. We heard from many educators that they would like a companion lesson to include to help explain the concepts in the game for students in a more direct approach.

So, I am excited to announce that this accompanying lesson is now available on the children's kit site. It is titled "Hack-A-Cat: Your Cybersecurity Adventure on Roblox," and teachers can have students complete this on their own in a computer lab, with laptops or even on the smartboard at the front of the classroom.

This self-paced module can be used as a lesson prior to playing the Roblox game at school or independently with their friends at home. We think it's a perfect complement to the in-game learning experience to make the most impact for students to learn about cybercrime, be prepared, and maybe one day join one of the teams helping protect others.

Kids Kit Now Available in Your Own LMS

Another requested feature of our kit that is now available is the ability to download the content and use it in your own Learning Management System (LMS) and/or Virtual Learning Environment (VLE) and make them a learning activity for students.

This feature allows admins to download the kit in a common standard called Sharable Content Object Reference Model (SCORM) that is generally accepted by most learning platforms. The lessons that are available in SCORM format include:

  • AI Awareness for Students
  • Bye Bye Bully
  • Captain Awareness: Conquer Internet Safety for Kids
  • Password Zapper Game
  • Spot the Phish - Kid's Edition

There is a link at the bottom of the page that allows for the easy download of all these materials in SCORM format. Look for the link in the text, "Looking for SCORM files? Click HERE to download."

There are also supporting materials available in image and document formats (not SCORM) that you can download directly from the kit page:

  • Clickbait Cootie Catcher Tabletop Exercise
  • Password Warriors Tabletop Exercise
  • Poster: Captain Awareness: Conquer Internet Safety for Kids
  • Security Cat's Activity Book for Kids

KnowBe4 customers can also still use the content on the KnowBe4 Children's Interactive Cybersecurity Activity Kit website, but we wanted to make the SCORM option available to be able to give access to more students (links on blog).

We will be adding more content to the Children's Kit and to the KnowBe4 Student Edition throughout the school year, based on the latest threats and feedback from our partner institutions and others, so check back often as you are planning lessons for your students.

If you have an idea or request of what you would like to see us add, feel free to get in touch. We are committed to providing fresh educational content for students and partners to stay safe.

Blog post with links:
https://blog.knowbe4.com/knowbe4-childrens-interactive-cybersecurity-activity-kit-2024

[New Features] Ridiculously Easy and Effective Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TODAY, Wednesday, September 4, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing that is effective in changing user behavior.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
  • NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
  • NEW! 2024 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
  • Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test

Find out how nearly 70,000 organizations have mobilized their end users as their human firewall.

Date/Time: TODAY, Wednesday, September 4, @ 2:00 PM (ET)

Save My Spot!
https://info.knowbe4.com/en-us/kmsat-demo-3?partnerref=CHN2

Phishing Attacks Are Increasingly Targeting Social Media and Smartphone Users

Threat actors are increasingly tailoring their attacks to target social media apps and smartphone users, according to a new report from the Anti-Phishing Working Group (APWG).

As email security technologies improve, scammers are turning to social media apps, text messages, and voice calls to conduct social engineering attacks.

Matthew Harris, Senior Product Manager, Fraud at OpSec, explained, "We have observed an increased share of fraud being targeted towards sites that do not require high security, such as social media sites like Facebook and LinkedIn, and SAAS and Webmail accounts such as Microsoft Outlook and Netflix."

The report also found that the volume of phishing attacks targeting bank accounts has fallen compared to last year, but these attacks have grown more sophisticated and targeted. Attackers need to put more effort into banking-focused attacks since these institutions typically have additional layers of security.

"Banks require two-factor authentication for online banking, such as codes sent to the users' mobile phones," the report says. "Without those authentication codes, phishers can't get into victims' online financial accounts.

"So instead, fraudsters are using phone-based methods to phish bank and payment service users. These are more immediate contact methods, and allow the fraudster to talk victims out of their sensitive information.

"Phone-based fraud is initiated by different methods. One is voice phishing or vishing -- where fraudsters call potential victims. Another is SMS-based phishing or smishing – in which fraudsters advertise the URLs of phishing sites within SMS (Short Message Service) and Internet-generated, phone-to-phone text messages."

The majority of scams in Q2 2024 involved gift card fraud or advance fee requests. APWG contributor Fortra found that the average amount of money requested in business email compromise (BEC) attacks rose by 6.5% last quarter to reach $89,520.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/phishing-attacks-are-increasingly-targeting-social-media-and-smartphone-users

[NEW WEBINAR] Code Red: How KnowBe4 Exposed a North Korean IT Infiltration Scheme

A recent incident shed light on a chilling new tactic: North Korean operatives posing as IT professionals to infiltrate organizations all over the world. And this one hit a little too close to home… right here at KnowBe4.

We're pulling back the curtain on this event to help you protect your organization from this new and growing, terrifying threat.

Join us for an exclusive, no-holds-barred conversation with the team who lived through it. Perry Carpenter, our Chief Human Risk Management Strategist, sits down with Brian Jack, Chief Information Security Officer, and Ani Banerjee, Chief Human Resources Officer, to chat about how we spotted the red flags and stopped it before any damage was done.

During this webinar, you'll get the inside scoop on:

  • The strategies and tools used by these covert operatives to sneak through the cracks
  • How we discovered something was wrong, and how we quickly stepped in to stop it
  • How you can spot fake IT workers in your hiring process and workplace
  • Practical advice for fortifying your organization in implementing robust screening processes and security protocols to safeguard against infiltration

Gain exclusive insights and actionable strategies to protect your organization from these sophisticated threats. Don't miss this opportunity to stay ahead in the ever-evolving landscape of cybersecurity, plus earn CPE credit for attending!

Date/Time: Thursday, September 12 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot:
https://info.knowbe4.com/code-red-webinar?partnerref=CHN

Email Compromise Remains Top Threat Incident Type for the Third Quarter in a Row

New analysis of Q2 threats shows a consistent pattern of behavior on the part of threat actors and threat groups, providing organizations with a clear path to protect themselves.

It's every cybersecurity professional's worry; whether the security controls they've put in place will actually stop attacks.

But it's actually quite easy to calm those fears by simply paying attention to industry data that paint a picture of what tactics and techniques threat actors are using and to ensure the appropriate controls are in place to stop such malicious activity.

According to Kroll's Q2 2024 Threat Landscape Report, there are some consistent trends that are becoming evident. Going back three quarters, Kroll demonstrates through data that the following threat incident types (in descending order) are being experienced during cyber attacks: email compromise, ransomware, unauthorized access and web compromise.

Looking at the chart, you can see how important having access to email is for threat actors. And even with the substantial increase in unauthorized access this year it appears that the threat actor "leopard" doesn't change its spots.

It's clear that protecting email access with multi-factor authentication, strong passwords and security awareness training is essential. These measures help prevent social engineering attacks aimed at stealing credentials, a trend that shows no signs of slowing down.

Blog post with links and graphics:
https://blog.knowbe4.com/email-compromise-remains-top-threat-incident-type-for-the-third-quarter-in-a-row

[Popular Whitepaper] The Security Culture How-to Guide

Improving the security culture of your organization can seem daunting. An entire culture sounds almost too big to influence. But influencing security culture is possible with the right plan, buy-in and content.

With the right culture supporting them, your users will be better equipped to identify potentially devastating cyber attacks and social engineering threats before they affect your network.

This how-to guide will walk you through how to build a step-by-step plan, helping you understand the fundamentals of security culture and what you can do to move the culture needle in your organization.

You'll learn:

  • The fundamental ABCs of culture change and how each builds off each other
  • A seven-step cycle for improving your security culture
  • Advice and best practices for making the most out of each step in the process

Download this guide today!
https://info.knowbe4.com/wp-security-culture-how-to-guide-chn

More Carrots and Fewer Sticks

This blog was co-written by Perry Carpenter and Roger A. Grimes.

As I sit in the 2024 Seattle Convene conference this week and listen to speaker after speaker talk about their successful security awareness training programs, one thing is perfectly clear. They all prefer carrots and fewer sticks.

A question human risk managers frequently ask me is what role negative consequences should play in a successful security awareness training program? This touches on a fundamental principle that my colleague, Perry Carpenter, is well known for emphasizing — the importance of working with human nature rather than against it.

Because of that, I invited him to co-write this blog post with me. Consider this a two-for-one blog special…The rest of this post represents our combined thoughts.

What's the end-goal, anyway?

Some of our customers have a policy of firing people for first-time offenses, whether that offense is clicking on a simulated phishing email URL link or interacting with a real phishing scam. We have many customers who have no defined policy for "missed" phishing tests and who never interact with an employee for either "failing" or not failing a simulated phishing test. The right policy lies somewhere in between.

The goal is to reduce cybersecurity risk most efficiently and effectively without significantly impacting business and revenues. Firing your best employees because they failed a phishing test doesn't seem overly productive.

Punitive approaches often backfire and can create a culture of fear rather than one of shared responsibility.

This is especially true because anyone…ANYONE!! can be phished. If you think you can't be socially engineered into doing something against your own best interests, you are at higher risk for a successful phishing attack, not less.

No one wants to click on a phish. And yes, we have people who are more susceptible to phishing than others. And we need a way to motivate the poorer performers to become better. But how do we do this effectively?

More Carrots

Here are some common carrot ideas.

[CONTINUED] Blog post with links:
https://blog.knowbe4.com/more-carrots-and-fewer-sticks


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Fresh Content Updates from August 2024:
https://blog.knowbe4.com/knowbe4-content-updates-august-2024

PPS: [BUDGET AMMO] This Security Company [Cinder] Has Been Flooded With Job Applicants From North Korea:
https://www.forbes.com/sites/davidjeans/2024/08/26/cinder-north-korea-jobs/

Quotes of the Week  
"Peace cannot be kept by force; it can only be achieved by understanding."
- Albert Einstein, Physicist (1879 - 1955)

"You become what you give your attention to."
- Epictetus, Greek philosopher (55 - 135 AD)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-14-36-knowbe4-expands-children's-interactive-cybersecurity-activity-kit-for-2024-2025-school-year

Security News

Threat Actors Abuse Microsoft Sway to Launch QR Code Phishing Attacks

Researchers at Netskope last month observed a 2000-fold increase in traffic to phishing pages delivered through Microsoft Sway. The phishing attacks are targeting orgs in the technology, manufacturing and finance sectors in Asia and North America.

Most of these attacks involved QR code phishing (quishing) to trick victims into visiting the malicious sites.

"Attackers instruct their victims to use their mobile devices to scan the QR code in hopes that these mobile devices lack the stringent security measures typically found on corporate issued ones, ensuring unrestricted access to the phishing site," Netskope explains.

"Additionally, these QR phishing campaigns employ two techniques from previous posts: the use of transparent phishing and Cloudflare Turnstile. Transparent phishing ensures victims access the exact content of the legitimate login page and can allow them to bypass additional security measures like multi-factor authentication.

Meanwhile, Cloudflare Turnstile was used to hide the phishing payload from static content scanners, preserving the good reputation of its domain." Notably, the threat actors abused Sway, a free Microsoft 365 presentation app, to evade security technologies.

"By using legitimate cloud applications, attackers provide credibility to victims, helping them to trust the content it serves," the researchers write. "Additionally, a victim uses their Microsoft 365 account that they're already logged-into when they open a Sway page, that can help persuade them about its legitimacy as well.

"Sway can also be shared through either a link (URL link or visual link) or embedded on a website using an iframe. Over the past six months, Netskope Threat Labs observed little to no malicious traffic using Microsoft Sway. However, in July 2024, we observed a 2,000-fold increase in traffic to unique Microsoft Sway phishing pages. The pages we investigated were targeting Microsoft 365 accounts."

Blog post with links:
https://blog.knowbe4.com/threat-actors-abuse-microsoft-sway-to-launch-qr-code-phishing-attacks

Fewer, High-Profile Ransomware Attacks Are Yielding Higher Ransoms

Analysis of cryptocurrency payments made on the blockchain highlights shifts in the size and frequency of ransomware attacks and may paint a bleak picture for the remainder of the year.

Each quarter, blockchain analysis company, Chainalysis, analyzes cybercriminal activity from the perspective of blockchain use to facilitate payments, crypto theft, etc.

In their 2024 Crypto Crime Mid-year Update Part 1, we see a few notable changes in ransomware attacks:

  • 2024 is set to be the highest-grossing year yet for ransomware payments
  • The median ransom payment made to ransomware strains receiving a minimum of $1 million, spiked from just under $200,000 in early 2023 to $1.5 million in mid-June 2024

Chainalysis provides an interesting chart to visualize ransomware payments made over time. As the chart shows, we're seeing a trend where ransomware payments are increasing. The median payment size in the first week of 2023 was just $198,939. In comparison, the median payment in mid-June of 2024 was $1.5 million — a nearly 800% increase! Remember — these are payments and not demands; so we're seeing the real impacts of ransomware attacks, which are trending towards being more expensive.

This is a key reason why organizations need to focus on preventing such attacks to a greater degree, which should include protection against phishing attacks via security awareness training to ensure an organization's users act as part of the defenses, siding with vigilance when interacting with a potentially malicious email or website, rather than simply becoming a victim and enabling an attack.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links and charts:
https://blog.knowbe4.com/fewer-high-profile-ransomware-attacks-yield-higher-ransoms-and-a-mid-year-total-of-just-over-450-million

Most Phishing Sites Are Now Mobile-Compatible

A new report from Zimperium has found that 78% of phishing sites are designed to target mobile browsers. These attacks can give threat actors a foothold within an organization's network, especially if an employee uses their phone for work-related activities.

"Mobile phishing includes various forms such as SMS phishing (smishing), voice phishing (vishing), app-based phishing, email phishing and social media phishing," the researchers explain. "While some of phishing campaigns appear to target consumers, they can serve as a trojan horse to deliver malware, capture reused passwords, or hijack OTPs, ultimately infiltrating corporate networks and applications on the device."

The researchers also warn that most phishing sites now use HTTPS, which is indicated by a lock icon next to the URL in the browser bar. Users need to be aware that the lock icon simply means that the site's traffic is encrypted, not that the site is necessarily legitimate.

"Due to changes in browser behavior to treat non encrypted sites as less secure, and the ability to evade detection due to encrypted communication, attackers have been migrating to use secure communications (HTTPS) for modern phishing attacks," the researchers write.

"At the moment of writing, our analysis shows that only 12.9% of phishing URLs employ an unencrypted HTTP scheme, while 87.1% utilized the more secure HTTPS (including those that redirected from HTTP to HTTPS). The use of secured connections to serve malicious content can create a false sense of security for the user or mask malicious intent behind the 'lock' icon on the browser."

Zimperium found that 60% of newly created phishing domains receive an SSL certificate within two hours of being registered. The researchers note, "This means that in just 2 hours, a new phishing domain can be created and be fully operational over a secure HTTPS connection."

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Zimperium has the story:
https://www.zimperium.com/blog/deep-dive-into-phishing-chronology-threats-and-trends/

What KnowBe4 Customers Say

"Hi Edmond, I am writing to express my sincere gratitude for the exceptional support I have received from you over the past few months to create training & phishing campaigns.

Your assistance has been marked by professionalism, efficiency, and a genuine desire to help. Your dedication to providing top-notch technical support has made a significant difference and transformed my experience with KnowBe4.

You have consistently demonstrated patience, extensive knowledge, and prompt responses. Your attention to detail and willingness to go above and beyond truly exemplify excellent support.

Thank you once again for your outstanding support. I look forward to continuing to work closely with you in the future."

- H.C., Manager, IT


"Hi Stu, I've been a customer of KnowBe4 for nearly 10 years now (across 2 companies). Been a great ride…Our employees are better off as a result of the training! Keep up the great work! Thank you!"

- B.L., CIO

The 10 Interesting News Items This Week
  1. [LAW.COM] Security Awareness Training: It's Time to Elevate Its Importance In Your Information Security Program:
    https://www.law.com/2024/08/27/security-awareness-training-its-time-to-elevate-its-importance-in-your-information-security-program/

  2. US offers $2.5 million reward for information on Belarusian hacker:
    https://therecord.media/state-department-reward-for-information-on-belarussian-hacker-kadariya

  3. RFID cards could turn into a global security mess after discovery of hardware backdoor:
    https://www.techspot.com/news/104436-previously-unknown-hardware-backdoors-could-turn-rfid-cards.html

  4. Hundreds of LLM Servers Expose Corporate, Health & Other Online Data:
    https://www.darkreading.com/application-security/hundreds-of-llm-servers-expose-corporate-health-and-other-online-data

  5. IT worker charged for alleged ransomware attack against former employer:
    https://www.theregister.com/2024/08/29/vm_engineer_extortion_allegations/

  6. US efforts to stop Chinese hackers haven't been fully effective, FBI official says:
    https://www.nextgov.com/cybersecurity/2024/08/us-efforts-stop-chinese-hackers-havent-been-fully-effective-fbi-official-says/399161

  7. Russian APT29 hackers use iOS, Chrome exploits created by spyware vendors:
    https://www.bleepingcomputer.com/news/security/russian-apt29-hackers-use-ios-chrome-exploits-created-by-spyware-vendors/

  8. WSJ: Companies Grapple With Expanding Cyber Rules:
    https://www.wsj.com/articles/companies-grapple-with-expanding-cyber-rules-19f8a4de?mod=djemCybersecruityPro&tpl=cs

  9. Cyber Insurance: A Few Security Technologies, a Big Difference in Premiums:
    https://www.darkreading.com/threat-intelligence/cyber-insurance-security-technologies-premiums

  10. Iranian cyberespionage actor conducts ransomware attacks on the side:
    https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews