CyberheistNews Vol 14 #45 [Heads Up] QR Code Phishing is Growing More Sophisticated

[Heads Up] QR Code Phishing is Growing More Sophisticated

Sophos describes a QR code phishing (quishing) campaign that targeted its own employees in an attempt to steal information.

The attackers sent phishing emails that appeared to be related to employee benefits and retirement plans. The emails contained PDF attachments which, when opened, displayed a QR code.

If an employee scanned the code, they would be taken to a phishing page that spoofed a Microsoft 365 login form. The page was designed to steal login credentials and multi-factor authentication codes.

One of Sophos's employees fell for the attack, showing that even cybersecurity companies are vulnerable to social engineering. Phishing links contained in QR codes are more likely to evade detection by security filters, and humans are less likely to notice that the URLs are suspicious.

"We in the security industry generally teach people resilience to phishing by instructing them to carefully look at a URL before clicking it on their computer," Sophos explains.

"However, unlike a URL in plain text, QR codes don't lend themselves to scrutiny in the same way. Also, most people use their phone's camera to interpret the QR code, rather than a computer, and it can be challenging to carefully scrutinize the URL that momentarily gets shown in the phone's camera app.

"This is both because the URL may appear only for a few seconds before the app hides the URL from sight, and also because threat actors may use a variety of URL redirection techniques or services that conceal or obfuscate the final destination of the link presented in the camera app's interface."

Sophos has observed an increasing number of quishing attempts over the past few months, and these attacks are growing more sophisticated. "Throughout the summer, samples have become more refined, with a greater emphasis on the graphic design and appearance of the content displayed within the PDF," the researchers write.

"Quishing documents now appear more polished than those we initially saw, with header and footer text customized to embed the name of the targeted individual (or at least, by the username for their email account) and/or the targeted organization where they work inside the PDF."

Blog post with links, and a free QR Code Phishing Security Test:
https://blog.knowbe4.com/qr-code-phishing-is-growing-more-sophisticated

[New Features] Ridiculously Easy and Effective Security Awareness Training and Phishing

Old-school security awareness training (SAT) does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, November 6, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to SAT and simulated phishing that is effective in changing user behavior.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

• NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
• NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
• NEW! 2024 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
• Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
• Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test

Find out how nearly 70,000 organizations have mobilized their end users as their human firewall.

Date/Time: TOMORROW, Wednesday, November 6, @ 2:00 PM (ET)

Save My Spot!
https://info.knowbe4.com/kmsat-demo-2?partnerref=CHN2

75% of Organizations Have Experienced a Deepfake-Related Attack

As generative AI evolves and becomes a mainstream part of cyber attacks, new data reveals that deepfakes are leading the way.

Deepfake technology has been around for a number of years, but the AI boom has sparked new attacks, campaigns, and players all trying to use the impersonation technology to rob victims of their credentials, personal details or money.

We recently covered multiple deepfake campaigns all perpetrated by a single individual that reached a global level. AI and automation only enable this kind of scale and make it a possible reality for scammers everywhere.

According to Ironscale's latest report, "Deepfakes: Is Your Organization Ready for the Next Cybersecurity Threat?," 75% of organizations have experienced at least one deepfake-related incident within the last 12 months. And 60% of organizations are only "somewhat confident" or "not confident" at all in their organization's ability to defend against deepfake threats. Given the extent at which deepfake-related incidents are occurring, it's imperative that organizations know where to focus their defenses.

According to the report, 39% of organizations cited incidents coming in the form of personalized phishing emails — a practical medium, given that impersonation of email addresses, sender names and brands can all be imitated. So deepfakes would fit right in.

And because email is such a material medium for deepfakes, it's critical for recipients to spot suspicious and/or malicious emails well before engaging with deepfaked audio or video via new-school security awareness training.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/three-quarters-of-organizations-have-experienced-a-deepfake-related-attack

Recon 2.0: AI-Driven OSINT in the Hands of Cybercriminals

Cybercriminals are using artificial intelligence (AI) and generative AI in open source intelligence (OSINT) activities to target your organization with supercharged reconnaissance efforts. With AI-driven techniques, they can gather, analyze and exploit publicly available data to create highly targeted and convincing social engineering schemes, phishing campaigns and other forms of cyber attacks.

Join James McQuiggan, Security Awareness Advocate at KnowBe4, as he explores how attackers use AI and OSINT to quickly identify and prioritize targets. Learn how to develop robust cybersecurity strategies to counter AI-enhanced threats.

Using exclusive demos and real-world examples, you'll:

• Gain insights into how AI and generative AI amplify OSINT-driven reconnaissance
• Understand how attackers use AI to enhance data aggregation, profile generation and target prioritization to target your organization
• Discover the implications of AI-driven OSINT and strategies for threat detection and mitigation
• Learn why a strong security culture is still your best line of defense

Register now to learn how to detect and mitigate AI-enhanced OSINT threats.

Date/Time: Wednesday, November 13, @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot:
https://info.knowbe4.com/ai-driven-osint?partnerref=CHN

Phishing Alert: Cybercriminals Impersonating KnowBe4 Training Emails

In the ever-evolving landscape of cybersecurity threats, we've recently encountered a sophisticated phishing attempt targeting one of our valued KnowBe4 customers. This incident serves as a crucial reminder of the importance of remaining vigilant and maintaining robust email security measures.

Our customer received a suspicious email that closely mimicked KnowBe4's legitimate "Please Complete Assigned Training" notifications. At first glance, the email appeared authentic, demonstrating the increasing sophistication of phishing attacks.

The blog has an example screenshot of what the phishing email looked like, covers key indicators of the phishing attempt, lessons learned and best practices.

[CONTINUED]
https://blog.knowbe4.com/phishing-alert-cybercriminals-impersonating-knowbe4

Re-check Your Email Attack Surface Now

Cybercriminals are actively exploiting exposed user data to initiate sophisticated attacks against organizations, including yours. If your employees' email addresses have potentially fallen into the hands of adversaries, the threat of a targeted breach becomes immediate, and every second counts.

It's time to re-check your email attack surface.

Discover your current email attack surface now with KnowBe4's Email Exposure Check Pro (EEC Pro). EEC Pro identifies your at-risk users by crawling business social media information and thousands of breach databases.

EEC Pro helps you find your users' compromised accounts that have been exposed in the most recent data breaches — fast.

Get your EEC Pro Report in less than five minutes. It's often an eye-opening discovery. You are probably not going to like the results...

Get Your Free Report:
https://info.knowbe4.com/email-exposure-check-pro-chn-2

Many Bosses Think Their Employees Lack Even Basic Security Awareness

Craig Hale in Techradar wrote about a new Fortinet report:

"Nearly three-quarters (70%) business leaders are increasingly concerned about their employees' cybersecurity knowledge, stating they lack even fundamental awareness needed to combat rising threats.

"The news comes as companies brace themselves for increased threat activity in the age of artificial intelligence, which aids threat actors to increase the sophistication of their attacks.

"The report from Fortinet cites another separate study carried out by the company claiming more than four in five organizations have faced incidents like malware, phishing and password attacks over the past 12 months.

Workers aren't prepared for the future of cybersecurity

"Looking ahead, three in five leaders expect AI-augmented attacks to make it even harder for workers to recognize threats.

"However, artificial intelligence isn't just seen as a threat to businesses. Four in five of the study's participants believe that emerging AI-enhanced threats have driven greater openness to training initiatives within their companies, with three quarters of leaders planning to launch awareness campaigns. In response to the changing threat landscape, companies are becoming increasingly proactive:

• "Around one-third (34%) delivering content monthly
• And almost half (47%) doing so quarterly
• Almost all (98%) have covered phishing prevention
• Security (48%) and privacy (41%) frequently appearing in training"

Our comment: Quarterly is not sufficient, that is more like another baseline test. You need to train people at the very least once a month, even if it is only five minutes. And obviously send simulated phishing security tests to keep them on their toes with security top of mind.

Story at Techradar:
https://www.techradar.com/pro/security/bosses-think-their-employees-lack-basic-security-awareness?

[NEW CONTENT] Five Critical Links To Help You Build A Strong Security Culture

• CISO Security Resource Kit with 5 Key Assets:
  https://www.knowbe4.com/resources/ciso-resource-kit
• CISO Talking Points to Present to the Board:
  https://www.knowbe4.com/hubfs/CISO-Talking-Points-Checklist-Guide_en-US.pdf
• Infographic: Top 3 Threats to Focus on to Prevent a Data Breach:
  https://www.knowbe4.com/hubfs/CISO-Top-Threats-Infographic_en-US.pdf
• eBook: The Definitive Guide to How Security Awareness Training (SAT) Addresses Regulatory Compliance, Cyber Insurance and Security Frameworks:
  https://www.knowbe4.com/hubfs/SAT-Regulations-eBook_EN-us.pdf
• ROI of SAT Guide for CISOs:
  https://www.knowbe4.com/hubfs/ROI-KB4-CFO-Guide_en-US.pdf

Let's stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Bruce Schneier: "Roger Grimes on Prioritizing Cybersecurity Advice":
https://www.schneier.com/blog/archives/2024/10/roger-grimes-on-prioritizing-cybersecurity-advice.html

PPS: Your KnowBe4 Compliance Plus Fresh Content Updates from October 2024:
https://blog.knowbe4.com/knowbe4-cmp-content-updates-october-2024?

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-14-45-heads-up-qr-code-phishing-is-growing-more-sophisticated

4 out of 10 Phishing Emails Are Sent From a Compromised Email Account

Analysis of phishing emails in the second quarter of this year paints a picture of what security teams and vigilant recipients should expect from modern phishing attacks.

In the 2024 Phishing Threat Trends report from Egress (a KnowBe4 company), we learn that phishing attacks have increased by 28% over a single quarter this year. So, this remains a key focus for security teams.

But we also get an update of what kinds of specific techniques are being used in phishing emails, laying out a roadmap for what security solutions and users should be watching out for:

• 44% of phishing emails were sent from a compromised account — remember, this likely means that the compromised account, too, was phished in a credential harvesting scam, only compounding the phishing problem
• Payloads vary — 45% of phishing emails contain a hyperlink-based payload, while 23% include malicious attachments and 20% rely solely on social engineering
• In impersonation attacks, 36% of them used links, 45% used attachments and 15% used social engineering only
• And the biggest red flag for me is the fact that employees only accurately report phishing emails 29% of the time

Threat actors continue to use a wide range of methods to trick users into engaging. But the one thread throughout is the use of social engineering, whether it's impersonating someone the victim knows or using a compromised account.

These are all methods to establish credibility to get the victim recipient to click, open or respond to a phishing email, something we teach in our new-school security awareness training.

Phishing looks like it's not going anywhere, so empowering your employees to stop attacks instead of aiding them can significantly reduce the risk of successful cyber attacks.

Blog post with links:
https://blog.knowbe4.com/more-than-4-out-of-10-phishing-emails-are-sent-from-compromised-account

FBI Warns of Election-Related Scams

The U.S. Federal Bureau of Investigation (FBI) has issued an advisory outlining various scams exploiting interest in the upcoming U.S. election. The Bureau says "[s]cammers use the names, images, logos, and slogans of candidates to fraudulently solicit campaign contributions, sell merchandise (which is never sent to the purchaser), or steal victim personally identifiable information (PII) that can be used for other fraud."

The FBI describes one scam that involves contacting victims and telling them they aren't registered to vote, in an attempt to trick the user into visiting a phishing page and entering their information.

"Victims receive a text message or email stating they are not registered to vote in their state and encouraging them to click a link that takes the victim to a fraudulent state voter registration page," the FBI says.

"The victim may or may not already be registered to vote with their state. This scheme is a means to steal PII for identity theft and potentially to further target victims for additional scams."

The FBI offers the following advice to help users avoid falling for these scams:

• "Be cautious when receiving any unsolicited calls, texts, emails, or surveys. Do not provide your personal information to persons you do not know. Do not click on unknown links.
• "Donations to a political campaign will not act as an investment; they will not increase in value then be returned to you.
• "Check the registration status of a Political Action or Party Committee on the Federal Election Commission (FEC) website. Additional due diligence may be necessary because some scam PACs are known to be registered with the FEC.
• "Research a company online before making any purchase by looking up customer reviews and BBB.org complaints.
• "Check your voter registration status at www.vote.gov."

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

What KnowBe4 Customers Say

"Stu, Thank you for reaching out. I am very pleased with our training and phishing service! I have been a fan of KnowBe4 for many years. I am thankful for the tools your organization provides to keep my team knowledgeable and safe.

I have been impressed with your level of transparency as you worked through the North Korean Hacker situation. Your willingness to be upfront, honest, and share your lessons with the world has garnered an even greater level of loyalty and trust for me, personally. Thank you.

One of our core values here is People-Centered Care. We accomplish this through developing staff and educating clients. We decided to back up our idea of developing staff monetarily by investing in KnowBe4.

We know that developing our staff is more than just giving them tools and experiences that make them better veterinarians, veterinary technicians, or receptionists; we know it involves being more responsible, educated digital citizens.

Thank you for giving us a platform that allows us to develop our staff outside of their normal duties and responsibilities and enables us to keep our network safer. I appreciate you!"

- R.C., Chief Information Officer

1. Russia's Midnight Blizzard launches widespread spearphishing campaign using RDP files:
   https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
   
   
2. Wiz CEO says company was targeted with deepfake attack that used his voice:
   https://techcrunch.com/2024/10/28/wiz-ceo-says-company-was-targeted-with-deepfake-attack-that-used-his-voice/
   
   
3. HC3 warns of Scattered Spider hackers leveraging AI, social engineering to infiltrate healthcare, other sectors:
   https://industrialcyber.co/medical/hc3-warns-of-scattered-spider-hackers-leveraging-ai-social-engineering-to-infiltrate-healthcare-other-sectors/
   
   
4. Why Phishing-Resistant MFA Is No Longer Optional: The Hidden Risks of Legacy MFA:
   https://thehackernews.com/2024/10/why-phishing-resistant-mfa-is-no-longer.html
   
   
5. Over a thousand online shops hacked to show fake product listings:
   https://www.bleepingcomputer.com/news/security/over-a-thousand-online-shops-hacked-to-show-fake-product-listings/
   
   
6. Yours Truly in SC Media: "Five ways to protect AI models":
   https://www.scworld.com/perspective/five-ways-to-protect-ai-models
   
   
7. Chinese state-backed hackers breached 20 Canadian government networks over four years, agency warns:
   https://www.cyber.gc.ca/sites/default/files/national-cyber-threat-assessment-2025-2026-e.pdf
   
   
8. German MPs and their staff fail simple phishing attack test:
   https://www.tomshardware.com/tech-industry/cyber-security/german-mps-and-their-staff-fail-simple-phishing-attack-test
   
   
9. FBI Warns Gmail, Outlook, AOL, Yahoo Users—Hackers Gain Access To Accounts:
   https://www.fbi.gov/contact-us/field-offices/atlanta/news/cybercriminals-are-stealing-cookies-to-bypass-multifactor-authentication
   
   
10. Change Healthcare breach affected 100 million people:
    https://www.bleepingcomputer.com/news/security/unitedhealth-says-data-of-100-million-stolen-in-change-healthcare-breach/
    
    

• Virtual Vaca #1 - Cinematic travel video of the amazing Pamukkale, Turkey in 4K Ultra HD:
  https://www.youtube.com/watch?v=vda519GzESM
  
  
• Virtual Vaca #2 - 2 days flying in Switzerland. Hey this looks super cool. I want to do that!!:
  https://youtu.be/TYYkgz5k2No
  
  
• Imagine If He Missed That Shot at the end:
  https://youtu.be/4gzZX3mcd3E
  
  
• LockPickingLawyer: The Soviet Era "Rack Locks":
  https://youtu.be/7TmiX9ftAow
  
  
• Example "rack padlock" hard-to-hack Lucan "High Security" Picked!
  https://youtu.be/Fry8fectsMg
  
  
• Insane Wingsuit Flight Breaks 3 World Records:
  https://youtu.be/Gnge3gnBmeQ
  
  
• Atlas Goes fully autonomous, hands on. Dang that thing moves in a weird way:
  https://youtu.be/F_7IPm7f1vI
  
  
• Keep Your Seatbelts Fastened. Will anyone fly, just a little bit?
  https://youtu.be/gELlWJutE60
  
  
• This HUGE telescope construction project is truly out of this world:
  https://youtu.be/loWQTkRrZxw
  
  
• Pegasus Hydrofoil: The 100% Electric Boat That Flies Over Water. I want the two-seater!:
  https://www.flixxy.com/pegasus-hydrofoil-the-electric-boat-that-flies-over-water.htm?utm_source=4
  
  
• Bugatti grand tour in Morocco 2024: journey of a lifetime:
  https://youtu.be/GPt_F9ikOF0?si=4B4brmtuJKPxLzpc
  
  
• For Da Kids #1 - Adorable Sea Otters Slam Dunk Little Halloween Pumpkins:
  https://youtu.be/OA8nnW_Mi-I
  
  
• For Da Kids #2 - Pig Caught On Camera Stealing Neighbors' Pumpkins:
  https://youtu.be/RAnUDw0mRs4
  
  
• For Da Kids #3 - Baby Elephant And Mom Are Stuck In A Well Full Of Water:
  https://youtu.be/FVpWf8WYNPY
  
  
• For Da Kids #4 - Tiny Baby Stoat Has The Best Reaction When She Meets Someone Like Her:
  https://youtu.be/2HFSaxIsJCE
  
  
• For Da Kids #5 - Man Saves 4 Baby Owls From Vent. Now They're a Flock: