CyberheistNews Vol 14 #40 | October 1st, 2024
Online Scams Shorten Their Cycles 58% And Make More Money
New analysis of blockchain activity shows scammers are needing less time to obtain crypto payments and are seeing higher payoffs per scam.
I repeatedly cover breakdowns of cyber crime activity from the folks at Chainalysis because it represents an unbiased view that some security vendors may inherently have (because their data is based on what their solutions do and don't discover).
In Chainalysis' 2024 Crypto Crime Mid-year Update Part 2, We find some surprising details that should have organizations a bit worried:
The average scam lifespan has decreased by 58% from last year to just 42 days. On its own, this doesn't sound entirely terrible; it could just mean that scammers are getting scared off or being unsuccessful and giving up more quickly, right?
Wrong.
Take a look at the graph in the blog post as just an example of what Chainalysis is seeing. In essence, inflows of scam "revenue" are at an all-time high, and yet the number of deposits is somewhat flat — meaning, more money is being made per scam.
Put these two data points together and you realize scammers are able to make money faster, allowing them to move onto the next scam. Many of these scams use social engineering, current events and phishing techniques as the means to launch — something managed by new-school security awareness training designed to educate users in your org how to identify even the most sophisticated and well-planned scams.
Blog post with links and screenshot:
https://blog.knowbe4.com/online-scams-are-shortening-their-cycles-and-making-more-money
[New Features] Ridiculously Easy and Effective Security Awareness Training and Phishing
Old-school security awareness training (SAT) does not hack it anymore. Your Secure Email Gateways have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, October 2, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to SAT and simulated phishing that is effective in changing user behavior.
Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.
- NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
- NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
- NEW! 2024 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
- Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
- Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test
Find out how nearly 70,000 organizations have mobilized their end users as their human firewall.
Date/Time: TOMORROW, Wednesday, October 2, @ 2:00 PM (ET)
Save My Spot!
https://info.knowbe4.com/en-us/kmsat-demo-1?partnerref=CHN2
Scammers Abuse Virtual Shopping Lists to Trick Walmart Customers
Threat actors are abusing virtual shopping lists to trick Walmart customers into transferring money or disclosing personal information, according to researchers at Malwarebytes. Links to the lists are distributed via Google Ads that impersonate Walmart support.
As a result, someone who searches for Walmart's customer service will see the ad at the top of the search results. If the user clicks the ad, they'll be redirected to a Walmart List containing a scammer's phone number.
Walmart Lists is a feature on Walmart's website and app that allows users to create and share shopping lists. However, instead of "eggs" or "milk," the scammers have written "Walmart Customer Support" alongside a phone number.
If a user calls this number, they'll be connected with a scammer who informs them that a warrant is out for their arrest due to a recent transaction from their bank account that was sent to a narco-trafficking group. The scammer, impersonating a bank employee or law enforcement investigator, attempts to trick the victim into transferring the rest of their money into a Bitcoin account in order to prevent additional transactions.
Malwarebytes offers the following recommendations to help users avoid falling for social engineering attacks:
- Sponsored results, or ads, can be dangerous due to ongoing and relentless malvertising campaigns. Learn to spot a regular search result from an ad, and if possible avoid clicking on ads.
- Even if you are on an official website, the content you see may not be legitimate. This is a particularly hard one because people will naturally trust that the brand's own site will be safe. But scammers and spammers can inject content in comments, or custom pages.
- Scare tactics and pressure to act quickly are almost always malicious. Unfortunately, most brands also have these promotions that expire soon and customers believe they need to buy the product now or lose out on a deal. Having said that, your local store will never threaten you on the phone with an arrest warrant.
- Scammers will often tell their victims to keep everything confidential and not discuss it with other family members or bank clerks. This is only in the scammers' interest to not be exposed; by all means you should ask for clarification and seek help from others.
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Blog post with links:
https://blog.knowbe4.com/scammers-abuse-virtual-shopping-lists
[NEW WEBINAR] North Korea's Secret IT Army and How to Combat It
Organizations around the world are unknowingly recruiting and hiring fake employees and contractors from North Korea. These sophisticated operatives aim to earn high salaries while potentially stealing money and confidential information. KnowBe4 recently learned this chilling fact firsthand when we discovered and stopped one of these operatives at our own organization. Since sharing our experience, we've discovered that many others have faced similar situations, too.
Join us for this webinar where Roger A. Grimes, Data-Driven Defense Evangelist for KnowBe4, teaches you what we have learned and how you can stay one step ahead. He'll cover:
- Stories of fake North Korean employees and contractors hired by unsuspecting organizations
- Red flags to watch out for to spot a fake employee job submission or resume
- How to tell if you've got a fake North Korean employee or contractor already on the payroll
- What updates and best practices you can start using today to keep bad actors out of your organization, and what to do if you suspect you may have already hired one
Don't miss this critical webinar that could be the difference between safeguarding your organization's assets and unknowingly inviting a potential security breach right in. Plus earn CPE credit for attending!
Date/Time: Wednesday, October 9 @ 2:00 PM (ET)
Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.
Save My Spot:
https://info.knowbe4.com/north-korea-secret-it-army?partnerref=CHN
Half of all Financial Services Cyber Attacks Start with a Very Costly Phish
New analysis of attacks on the financial sector shows that the combination of phishing emails and compromised credentials is a recurring — and financially impactful — threat.
According to IBM, financial services is the second most expensive sector with an average cost of a data breach at $6.1 million.
And it appears that email-based attacks are a material source of data breaches, ransomware, business email compromise and more for the financial services sector — this, according to Trustwave's 2024 Risk Radar Report: Financial Services Sector. In this report, we find these interesting details about attacks and their outcomes:
- 49% of attacks originated from phishing
- 37% of phishing emails used HTML attachments
- Phishing and stolen credential attacks were the most frequent attack types
- Phishing and business email compromise were tied as the second most expensive initial attack vectors in data breaches, with the average cost at $4.9 million
To counter these attacks, TrustWave recommend the following mitigations:
- Email filtering solutions to block based on content, sender and reputation
- A layered email security solution to detect anomalous (read: potentially malicious) email
- Security awareness training and phishing testing to keep users vigilant
We could not agree more.
Blog post with link to the report:
https://blog.knowbe4.com/half-financial-services-cyber-attacks-start-costly-phish
[Free Resources] Prepare for Cybersecurity Awareness Month 2024 with the Help of KnowBe4
Cybersecurity Awareness Month is here, and we've got your back!
Threats to your organization can come in many forms; from a suspicious email with a dodgy attachment to improperly stored sensitive information.
But never fear! The team featured in KnowBe4's award-winning, streaming-quality educational series "The Inside Man" is here to lend a helping hand. Our 2024 Cybersecurity Awareness Month resource kit delivers an immersive, multimedia cybersecurity awareness training experience centered around the gripping original series "The Inside Man."
With weeks' worth of training content, suggested campaign ideas and a web-based planner, this kit has what you need to run an engaging security awareness training campaign for an entire month!
Learn more about the kit and download here:
https://www.knowbe4.com/resources/free-cybersecurity-resource-kits/cybersecurity-awareness-month-kit-chn
Election-Themed Phishing Threats Are on the Rise
Researchers at ReliaQuest have published a report looking at cyber threats surrounding the upcoming U.S. presidential election, warning that election-related phishing will continue to increase over the next month.
People working in the political sphere need to be wary of state-sponsored spear phishing attempts. The Trump and Harris campaigns have both already been targeted by nation-state phishing attacks, with an Iranian threat actor succeeding in stealing information from the Trump campaign.
"APTs often use phishing and spear phishing to gain unauthorized access to sensitive communications," ReliaQuest says.
"To protect against these tactics, organizations are advised to deploy advanced email security solutions that use machine learning to detect and block phishing attempts. For enhanced protection, the security solution should also conduct threat simulations and red team exercises to identify and mitigate weaknesses. Security teams should provide contextual awareness training that incorporates real-world scenarios and recent case studies."
Cybercriminals are also exploiting interest in the election, attempting to trick users into handing over their credentials, installing malware, or sending money.
"As the election draws near, businesses and individuals will likely see a significant increase in election-themed phishing emails," the researchers write. "We anticipate cybercriminals will craft emails pretending to be from legitimate political campaigns, election authorities, or news outlets.
"These emails typically contain urgent calls to action like donation requests or critical voting procedure updates to deceive recipients into clicking malicious links or downloading harmful attachments. We have seen election-related customer incidents involving both traditional, external phishing with malicious links and using internal spear phishing to exploit trusted relationships within organizations."
The researchers add, "Advancements in AI will likely enable cybercriminals to create more personalized and convincing phishing emails by analyzing user behavior, preferences, and social media activity. Advanced AI algorithms can generate realistic and contextually relevant content, mimicking the writing style and tone of legitimate sources such as electoral bodies or campaigns, making it harder for recipients to detect fraud."
Blog post with links:
https://blog.knowbe4.com/election-themed-phishing-threats-2024
Let's stay safe out there.
Warm regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: [BUDGET AMMO] Fast Company - "U.S. elections: Four cyber threats organizations can expect":
https://www.fastcompany.com/91191776/u-s-elections-four-cyber-threats-organizations-can-expect
PPS: Your KnowBe4 Fresh Content Updates from September 2024:
https://blog.knowbe4.com/knowbe4-content-updates-september-2024
- Leo Tolstoy - Writer and Philosopher (1828 - 1910)
- Martin Luther King Jr. (1929 - 1968)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-14-40-online-scams-shorten-their-cycles-58-percent-and-make-more-money
Three-Quarters of CISOs View Phishing as the Greatest AI-Powered Threat
Seventy-five percent of Chief Information Security Officers (CISOs) cite phishing as the greatest AI-powered threat to their organization, a new survey from Team8 has found.
Additionally, 56% of CISOs cited deepfake-enhanced fraud (voice or video) as a major threat. "While AI is certainly being leveraged to enhance security tools, a notable surge in AI-powered attacks has become a formidable challenge for CISOs," Team8 says.
"Recent data highlights the severity of these attacks, with Bessemer reporting a staggering 1,265% increase in malicious phishing emails and a 967% rise in credential phishing since Q4 2022."
The researchers cite a recent incident in which threat actors used a deepfake to dupe a British engineering firm into sending approximately $25 million.
"In this instance, fraudsters used a deepfake version of a senior manager during a video conference to trick the company into transferring the funds," the researchers write. "This case underscores how AI can be weaponized to exploit human trust and bypass conventional security protocols."
Amir Zilberstein, Managing Partner at Team8, stated, "Recent technological advancements have rapidly transformed the threat landscape, and CISOs are responding. As companies evolve from using third-party AI tools to developing their own AI applications, securing AI development pipelines and data infrastructure has become a priority.
"At the same time, AI also introduces new, novel risks, such as deepfakes and social engineering, which are unfamiliar territory for CISOs. Balancing these emerging threats with ongoing issues like identity and third-party risk management will be a critical challenge in the coming years."
New-school security awareness training gives your organization an essential layer of defense against evolving social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day.
Team8 has the story:
https://www.businesswire.com/news/home/20240924746961/en/Team8-Report-Phishing-and-Deepfakes-Emerge-as-the-Leading-AI-Powered-Threats-While-Cybersecurity-Budgets-Continue-to-Rise
15 Cybersecurity Terms You (and Your CEO) Ought to Know by Now
Nothing says "poor digital employee experience" louder than your org getting hit with a successful cyber attack. Suddenly the company's reputation is in tatters, its stock price is in the tank and your personal information is for sale on the dark web.
Avoiding worst-case scenarios like this requires getting everyone on the same page from a security perspective. And that starts with talking about security concepts in ways your non-cyber colleagues can understand. At some point early in the birth of information technology, we became addicted to jargon.
The industry is thick with it, and it's easy to forget that even some of the most basic terms cyber pros take for granted are gibberish to colleagues in other departments and — most important — on the board.
Translating cyber-speak into everyday English is the key to getting your point across, not to mention getting your budgets approved. And it is a significant driver of employee engagement.
Use this post in your next 1:1 with the CEO:
https://www.tanium.com/blog/15-cybersecurity-terms-you-and-your-ceo-ought-to-know-by-now/
What KnowBe4 Customers Say
"I just wanted to send an email to let you know how much we appreciate Ali S. as our rep. Like I told her, she is the most efficient and thorough rep we've had in at least three years. We appreciate her efficiency and her overall effort.
Please make sure this goes in her file for her PR or whatever would bring her some benefit or recognition. She deserves it. Also, please make every effort to ensure she remains our rep. :blush: Thanks again!"
- B.J. IT Comms, Sec Awareness & Doc Specialist
- Google says dozens of Fortune 100 firms have unknowingly hired North Korean IT workers:
https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat - It's the Year 2030. What Will Artificial Intelligence Look Like?:
https://www.wsj.com/tech/ai/future-of-ai-2030-experts-654fcbfe?st=6AHyMN&reflink=article_gmail_share - Hackers Posed as Google Support to Steal $243 Million in Crypto with sophisticated social engineering:
https://hackread.com/hackers-posed-google-support-steal-243m-crypto/ - Fake AI "podcasters" are reviewing my book and it's freaking me out:
https://arstechnica.com/ai/2024/09/fake-ai-podcasters-are-reviewing-my-book-and-its-freaking-me-out/ - Kaspersky deletes itself, installs UltraAV antivirus without warning:
https://www.bleepingcomputer.com/news/security/kaspersky-deletes-itself-installs-ultraav-antivirus-without-warning/ - Why some ransomware gangs are experimenting with physical threats:
https://www.itbrew.com/stories/2024/09/23/why-some-ransomware-gangs-are-experimenting-with-physical-threats - China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack:
https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835?st=BFXcbA - U.S. intelligence agencies confirm Russia is pushing fake videos of Kamala Harris:
https://therecord.media/us-intelligence-confirms-russia-fake-videos - Cybersecurity Incident Affects Arkansas City Water Treatment Facility:
https://www.infosecurity-magazine.com/news/incident-arkansas-city-water/ - Criminal group targets cryptocurrency influencers and gaming personalities:
https://www.recordedfuture.com/research/marko-polo-navigates-uncharted-waters-with-infostealer-empire
- A Glimpse of Old Ireland c.1929: Restored to Amazing Life:
https://youtu.be/2Pkcf2-w6l4 - [SUPER FAVE] The Most Beautiful Wingsuit Flight I've Done over the Swiss Wetterhorn, 3690m high:
https://youtu.be/ChpGDDw-Ix0 - The Lüderitz channel - fastest and most dangerous windsurfing channel in the world:
https://youtu.be/atUcHf_VCtU - LockPickingLawyer - The Replicant: Pocket Key Casting Perfected!:
https://www.youtube.com/watch?v=L5Fus7qbRZM - Just the Facts About the U.S. Federal Budget: Steve Ballmer Talks Through the Numbers:
https://www.youtube.com/watch?v=aQoh9jdRZPM&t=40s - Super Humans: Unbelievable Feats of Strength, Skill & Beyond!:
https://www.youtube.com/watch?v=4dsc-wxyCxY - LockPickingLawyer - Oops, Brink's Did it Again with Model 164:
https://youtu.be/zHFafzhN0ys - Witness the jaw-dropping feat as Red Bull athlete Patrick Von Känel paraglides through a 498-foot tunnel in Italy's Dolomites, setting a new world record!
https://www.flixxy.com/paragliding-through-a-tunnel-world-record.htm?utm_source=4 - For Da Kids #1 - Dogs Make Dad Take Them To The Skatepark:
https://youtu.be/DRL34yeDlgI - For Da Kids #2 - Orphaned Fawn Adopts This Guy As Her Dad:
https://youtu.be/RxAkEGkKaBo - For Da Kids #3 - Ferret Clings Onto His Human Through Thick And Thin:
https://youtu.be/6SIsvfCIbO8 - For Da Kids #4 - Watch as these stealthy cats take on impossible missions with grace and agility!:
https://www.flixxy.com/mission-impossible-cats-edition-defying-physics-like-furry-ninjas.htm?utm_source=4 - For Da Kids #5 - Woman's Rescue Dog Doesn't Know How Big He Is:
https://youtu.be/kWlhaHyj1LE