CyberheistNews Vol 14 #44 | October 29th, 2024
[Heads Up] Cyber Attacks Now Shift to Mobile. Are Your Users Prepared?
With 16+ billion mobile devices in use worldwide, new data sheds light on how bad actors are shifting focus and tactics to put attacks into the victim's hands.
There's an interesting story woven throughout mobile security provider Zimperium's 2024 Global Mobile Threat Report that demands the attention of organizations intent on securing every attack vector, which includes personal mobile devices.
According to the report:
- 82% of organizations allow BYOD
- The average smartphone has 80 apps installed, with 5-11 being work-related
- 85% of the apps on the device are personal apps that all have some potential impact to the organization's risk exposure
- 71% of employees leverage smartphones for work tasks
- 60% of employees use their smartphones for work-related communication
- 48% of employees use their smartphones for accessing work-related information
While Zimperium goes into more about the insecurity of the apps on devices, let's stick with the fact that employees are using their mobile devices for work to a material degree. According to the report, there's a huge shift towards attacking via mobile devices. Take the following additional stats:
- 83% of phishing sites being designed to specifically target mobile devices
- Mobile malware instances have increased 13% in the last year
- 80% of all malware observed by Zimperium were riskware and trojans deployed as "sideloaded apps" on mobile devices
In other words, the data points to two things: first, mobile presents a real risk to organizations, and second, cyber attacks are shifting toward mobile.
And since most organizations have limited ability to secure an employee's personal devices, it's necessary to leverage the employee themselves as part of the organization's security strategy through new-school security awareness training to elevate their continual sense of vigilance when interacting with email and the web on a mobile device.
Good thing that KnowBe4 has dozens of short "mobile-first" awareness training modules that were all created specifically for mobile devices!
Blog post with links:
https://blog.knowbe4.com/cyber-attackers-are-adopting-a-mobile-first-attack-strategy
Lights, Camera, Hacktion! The Inside Scoop on Creating 'The Inside Man'
Over the last five years, KnowBe4's binge-worthy series "The Inside Man" has been revolutionizing the way organizations think about security awareness training. Now, we invite you behind the scenes to learn from the creators, and find out what makes "The Inside Man" such a success in organizations around the world.
Join us for this can't-miss webinar where we're spilling all the tea with the masterminds behind "The Inside Man." You'll hear from Jim Shields, Director of "The Inside Man," Rich Leverton, Director of Content at Twist & Shout, and Perry Carpenter, Executive Producer and Chief Human Risk Management Strategist at KnowBe4 as they share:
- Insights on how the concept came to be, and behind the scenes antics from the cast and crew
- The secret sauce that makes "The Inside Man" even more addictive than your favorite Netflix show
- Why storytelling is your new superpower in the fight against cybercriminals and making your security culture stick
We'll also be dropping some juicy teasers about the upcoming season that'll leave you on the edge of your seat. Whether you're a die-hard fan or new to "The Inside Man" party, you won't want to miss this!
Date/Time: TOMORROW, Wednesday, October 30 @ 2:00 PM (ET)
Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.
Save My Spot:
https://info.knowbe4.com/inside-man-webinar?partnerref=CHN2
New Research: 140% Increase in Callback Phishing
Researchers at Trustwave observed a 140% increase in callback phishing attacks between July and September 2024.
Callback phishing is a social engineering tactic that involves emails and phone calls to trick users into handing over login credentials or other sensitive data or installing malware.
The attacks begin with a phishing email that appears to be a notification for something that needs to be addressed urgently, such as an order invoice or an account termination notice.
The emails contain a phone number that the user can call to resolve the issue. If a user calls this number, the scammer will pose as a customer service agent in order to achieve one or more of the following goals:
"Vishing: Attackers will interrogate the victim for their personally identifiable information (PII), banking credentials, and other relevant details.
Malware Download and Infection: In some campaigns including BazarCall, victims are instructed to visit a website that will directly download malware, such as a document with malicious macros. Attackers will guide them through the installation process. The infected machine is used for stealing information, reconnaissance and installing follow-up malware.
Remote Access Control: To settle the issue, the attackers will instruct the victim to download a remote administration tool and invite them to a meeting session. Once the victim is connected, attackers will take control of their machine via remote access.
In some campaigns, such as Luna Moth, attackers blank out the screen to hide their actions. They will then proceed to steal information or install another malware for further exploitation."
The researchers note that getting the victim on the phone gives the scammer more control over the situation than simply communicating via email. "A phone call provides real-time and dynamic communication between the victim and fraudsters.
"In a direct conversation, attackers can continue to manipulate and dispel hesitations," Trustwave says. "The attacker often emphasizes the urgency of the matter, which might influence the victim into making a rash decision, such as divulging sensitive information."
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Blog post with links:
https://blog.knowbe4.com/callback-phishing-is-on-the-rise
[New Features] Ridiculously Easy and Effective Security Awareness Training and Phishing
Old-school security awareness training (SAT) does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, November 6, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to SAT and simulated phishing that is effective in changing user behavior.
Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.
- NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
- NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
- NEW! 2024 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
- Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
- Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test
Find out how nearly 70,000 organizations have mobilized their end users as their human firewall.
Date/Time: Wednesday, November 6, @ 2:00 PM (ET)
Save My Spot!
https://info.knowbe4.com/kmsat-demo-2?partnerref=CHN
Nearly Two-Thirds of IT Leaders Have Fallen For Phishing Attacks
Sixty-four percent of IT leaders have clicked on phishing links, a new survey by Arctic Wolf has found.
Despite this, 80% of these same professionals are confident their organization won't fall victim to a phishing attack.
The survey found that 34% of organizations send simulated phishing emails to their employees at least once every two weeks, but only 15% of end users are aware of them.
Likewise, the IT and security leaders surveyed said 83% of their employees fall for the phishing simulations. The report also found that organizations usually increase employee training programs after they've sustained a breach, and the frequency of this training has a noticeable effect on security.
"The data suggests that organizations who have suffered a breach are more likely to increase the regularity of training," the report says. "40% of IT and cybersecurity leaders whose security awareness training happens quarterly have not experienced a breach in the past year, as opposed to 14% of leaders whose training is weekly."
The researchers add, "We see a direct correlation between those who receive frequent training, and those displaying the most robust attitudes to security." The report observed poor password security practices at many organizations, with 68% of IT leaders and end users admitting to reusing passwords.
"Regular password updates, the practice of reusing passwords and relying on memory indicates significant vulnerability within organizations," the researchers write. "Password reuse and poor tracking increase the risk of credential theft and compromise, especially for sensitive accounts.
"Implement a robust password management system and encourage the use of unique, strong passwords for different accounts. Consider adopting multi-factor authentication (MFA) to add an extra layer of security and enable end-users to accept MFA notification if only they initiated."
Blog post with links:
https://blog.knowbe4.com/two-thirds-of-it-leaders-fallen-for-phishing
The Outs and Ins of Compliance Training Design: Five Essentials for Designing an Effective Program
Compliance training requirements continue to proliferate across industries, but meeting mandates is just the starting point.
Simply checking a compliance box is inadequate and can open organizations like yours up to unnecessary risk. This whitepaper walks you through best practices for building a strategic program that addresses your unique risks, policies and industry-specific requirements.
Download this whitepaper to learn:
- Why annual training alone is ineffective for driving compliance
- How to gain executive support and build an internal compliance community
- Best practices for tailoring training plans, content and delivery
- The importance of continuous program evaluation and optimization
Explore how to design a compliance training program that truly drives behavior change and nurtures a robust compliance culture.
Download this whitepaper today!
https://info.knowbe4.com/wp-five-essentials-compliance-training-design-cmp-chn
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: [WOW] Two Bestselling books: FAIK and Fighting Phishing on display at Barnes & Noble 5th Ave, NYC:
https://blog.knowbe4.com/knowbe4s-cybersecurity-experts-shine-barnes-noble-5th-ave
PPS: [BUDGET AMMO] In SecurityWeek - Be Aware of These Eight Underrated Phishing Techniques:
https://www.securityweek.com/be-aware-of-these-eight-underrated-phishing-techniques/
- Lucius Annaeus Seneca (Roman statesman 5 - 65 BC)
- Russell Crowe in the movie Gladiator
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-14-44-cyber-attacks-now-shift-to-mobile-are-your-users-prepared
Criminals Hide QR Code Phishing Links Within PDF Documents
Cybercriminals are using new tactics to distribute QR code phishing (quishing) links, according to researchers at Barracuda. Using a QR code helps the phishing link avoid detection by security tools, since there isn't a text-based link to analyze.
While the QR codes were traditionally included in the body of the email, attackers are now placing them within PDF attachments. This enables them to bypass security tools that have been updated to look for suspicious QR codes. Over the course of three months from mid-June to mid-September 2024, Barracuda observed more than 500,000 of these attacks.
"In these attacks, cybercriminals send phishing emails and attach a simple one or two-page PDF document that includes a QR code," the researchers write. "No other external links or embedded files are included in the PDF. Recipients are directed to scan the QR code with the camera on their mobile phone, so they can view a file, sign a document, or listen to a voice message.
"If they do so, they are brought to a phishing website designed to capture their login credentials."
Barracuda also notes that "quishing often involves multiple devices: employees receive the phishing email on one device but scan the QR code using a different device, such as a personal mobile phone that may lack the same level of security protection as corporate systems.
"As a result, these attacks can bypass corporate defenses, making them difficult to track or prevent."
These attacks use familiar phishing tactics, impersonating well-known brands with work-related lures. In some cases, the attackers launched more targeted attacks that impersonated HR employees at specific companies.
"In most of the attack samples analyzed by Barracuda researchers, scammers impersonate well-known companies," Barracuda says. "Microsoft, including SharePoint and OneDrive, is impersonated in more than half (51%) of all the attacks, followed by DocuSign (31%), and Adobe (15%).
"In a small number of the attacks, scammers impersonate the human resources department at the intended victim's company."
KnowBe4 enables your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Barracuda has the story:
https://blog.barracuda.com/2024/10/22/threat-spotlight-evolving-qr-codes-phishing-attacks
More Than 33,000 People in the UK Have Been Hacked Over the Past Year
Action Fraud, the UK's national fraud and cybercrime reporting service, warns that more than 33,000 people have reported that their online accounts have been hacked over the past year. Most of these hacks are the result of phishing and other social engineering tactics.
Action Fraud describes one technique that involves using a compromised account to target the victim's friends. "The goal is to convince people to reveal authentication codes that are sent to them via text," Action Fraud says. "Many victims of this type of hacking believe it's a friend messaging them, however the shared code was associated with their own account and the impersonator can now use it to access their account.
"Usually when an account is taken over, fraudsters monetize control of the account via the promotion of various fraudulent schemes, while impersonating the original account owner."
Action Fraud encourages users to follow security best practices in order to defend themselves against phishing attacks:
- "Use a strong and different password for your email and social media accounts. Your email and social media passwords should be strong and different from all your other passwords. Combining three random words that each mean something to you is a great way to create a password that is easy to remember but hard to crack.
- "Turn on 2-Step Verification (2SV) for your email and social media accounts. 2-Step Verification (2SV) gives you twice the protection, so even if cyber criminals have your password, they can't access your email or social media account. 2SV works by asking for more information to prove your identity. For example, getting a code sent to your phone when you sign in using a new device or change settings such as your password. You won't be asked for this every time you check your email or social media."
Action Fraud has the story:
https://www.actionfraud.police.uk/news/socialmediahacking
Registration is Open for KB4-CON 2025!
Exciting news — registration for KB4-CON 2025 is now open! Join us April 7-9, 2025, at the beautiful Gaylord Palms Resort in sunny Orlando, Florida.
KB4-CON is the premier annual conference for KnowBe4 customers, partners and the broader cybersecurity community, bringing together thousands of attendees from across the industry. For three days, you'll explore the world of human risk management, AI and effective security strategies. In addition, get exclusive insights into KnowBe4's product roadmap and upcoming features.
We're designing an engaging experience that will transform your approach to managing human risk in the ever-changing cybersecurity landscape.
The best part? You can now secure your spot for KB4-CON 2025 with a limited time special in honor of Cybersecurity Awareness Month for $199 through October 31! Note that the regular price is $399, so register now! If you need help with approval to attend, download our travel justification letter here.
Save your spot at the cybersecurity event of the year!
Save My Spot:
https://knowbe4.cventevents.com/00nVrz?RefId=emregoppros
What KnowBe4 Customers Say
"Hi Stu, So far we have been using only a couple of training and phishing campaigns, but we have been quite happy with the platform. I'm currently publishing new security policies for our company and I'm planning to deliver them through the KnowBe4 training campaign.
We have so limited resources (me) with all other responsibilities, and hence, I haven't been able to utilize the service in its full potential. But yes, I'm a happy camper."
- I.M., IT Manager
"Good Morning Mr. Sjouwerman, I am a very happy camper! Your team is great to keep checking in with us. I've heard the title 'customer success manager' in the past, but your teams definitely do this and do it well. My team has a meeting next week with your staff again to make sure we are using KnowBe4 to the fullest potential. I find this key, that you encourage full use of the product, never let it lay where we get complacent, and thus adding value to the investment we've made by partnering with you. I sincerely appreciate KnowBe4. Thank you!"
- C.J., Chief Information Security Officer
- Microsoft Warns Foreign Disinformation Is Hitting the U.S. Election From All Directions:
https://www.wired.com/story/microsoft-russia-china-iran-election-disinformation/ - Russian Propaganda Unit Appears to Be Behind Spread of False Tim Walz Sexual Abuse Claims:
https://www.wired.com/story/russian-propaganda-unit-storm-1516-false-tim-walz-sexual-abuse-claims/ - [ATROCIOUS] Ransomware hit 389 US healthcare organizations this year:
https://www.microsoft.com/en-us/security/security-insider/emerging-threats/US-healthcare-at-risk-strengthening-resiliency-against-ransomware-attacks - Spate of ransomware attacks on German-speaking schools hits another in Switzerland:
https://therecord.media/ransomware-attack-german-speaking-school-switzerland-bbz-schaffhausen - SEC fines four companies $7M for 'misleading cyber disclosures' regarding SolarWinds hack:
https://techcrunch.com/2024/10/22/sec-fines-four-companies-7-million-for-misleading-cyber-disclosures-regarding-solarwinds-hack/ - Spy Agencies Warn of U.S. Election Violence Stoked by Iran and Russia:
https://www.wsj.com/politics/national-security/spy-agencies-warn-of-u-s-election-violence-stoked-by-iran-and-russia-e8fbcbd4 - CISOs have to get on top of AI technologies, warns Microsoft:
https://www.csoonline.com/article/3587140/cisos-have-to-get-on-top-of-ai-technologies-warns-microsoft.html - AI Chatbots Ditch Guardrails After 'Deceptive Delight' Cocktail:
https://unit42.paloaltonetworks.com/jailbreak-llms-through-camouflage-distraction/ - Ukraine Warns of Mass Phishing Campaign Targeting Citizens Data:
https://www.infosecurity-magazine.com/news/ukraine-phishing-campaign-citizens/ - UnitedHealth says data of 100 million people stolen in Change Healthcare ransomware attack:
https://www.bleepingcomputer.com/news/security/unitedhealth-says-data-of-100-million-stolen-in-change-healthcare-breach/
- Virtual Vaca #1 - Top 10 Places To Visit in El Salvador:
https://youtu.be/dDAR5qptjCs - Virtual Vaca #2 - Top Places To Visit In Colorado During Autumn:
https://youtu.be/AGyNpYjLk2Q?si=hGw9lDedNdDLgZrf - Best of the Month: Epic Beach Days, Juggling, & More!:
https://youtu.be/Ku5zgr_w9nE - LockPickingLawyer asks "Can You Guess the Combination?":
https://youtu.be/F_nG0OxHkPA - Developing 120-Year-Old Photos found in a Time Capsule:
https://youtu.be/IoDj4mXdqmc - The Insane Security of the White House:
https://youtu.be/UEItJAamEQI - These Giant RC Jet Planes Can Fly 300 MPH!:
https://youtu.be/IheDhIF9wrs - Jet Suit Medics: Rapid Water Response:
https://youtu.be/Fn4086xoRyo - Gee Atherton goes down The Dolomites' gnarly Ridgeline IV on a mountain bike. YIKES:
https://youtu.be/12N6UmhCqtE - Experience Sir Michael Caine's heartfelt reading of Rudyard Kipling's iconic poem 'IF', where perseverance, humility, and integrity come together in a powerful message:
https://www.flixxy.com/if-by-rudyard-kipling-timeless-wisdom-read-by-sir-michael-caine.htm - For Da Kids #1 - Watch This locked-up Lion Taste Freedom For The First Time:
https://youtu.be/Urei1VJ7RXA - For Da Kids #2 - Woman Got A Mute Bird, Now He Won't "Zip It":
https://youtu.be/U7CJcueGi7Y - For Da Kids #3 - Family Works Together To Rescue Suffocating Turtle:
https://youtu.be/QQjgs_nMxKs - For Da Kids #4 - Baby Crow Thinks German Shepherd Dog Is His Mom:
https://youtu.be/z8eZAYn8UQI