CyberheistNews Vol 7 #49 New Large Email Security Study Shows a Massive 10.5% Failure Rate

CyberheistNews Vol 7 #49
New Large Email Security Study Shows a Massive 10.5% Failure Rate

The aggregated results of a new large email security analysis show over 10% average rates at which enterprise email security systems miss spam, phishing and malware attachments.

Here is a summary of findings of email security systems to user mailboxes at companies tested in Cyren’s Email Security Gap Analysis program during the months of September and October 2017.

Who is Cyren? Their security cloud detects web and email-based threats as they emerge on the internet, and blocks them globally within seconds, before they reach users. Cyren analyzes billions of transactions from around the world every day for customers like Google, McAfee, and Check Point.

The Cyren email gap analysis in a nutshell:
  • Email volume analyzed: 11.7 million
  • Test period: September – October 2017
  • Average miss rate: 10.5%
Companies included in the tests were from a variety of industries and utilized several different types of email security, ranging from on-premise appliance gateway solutions to hosted email with some level of security filtering embedded in the service.

You now understand that the percentages discussed in this report are industry averages that you can use as a reference. The gap analysis results can vary significantly, even between companies using the same security solution.
    • Out of the 11.7 million emails analyzed by Cyren, 10.5 million (89.5%) were found to be “clean” or legitimate, including 4.67 million newsletter emails (over one-third of legitimate email traffic).

    • 1.2 million emails (10.5%) were found to be spam or malicious messages that were missed by the deployed solutions and should not have been delivered to user mailboxes. This 10.5% “miss rate” breaks down into the following categories:

1,187,408 emails delivered to users were found to be spam emails, 10.2% of the total email traffic. Spam in this study is defined as unsolicited bulk email, usually identified by content scanning techniques or by sophisticated pattern detection applied to elements of the email itself and email distribution patterns. As noted above, the spam category does not include legitimate newsletter emails.


Phishing emails were identified at 34,143 emails or 0.29% of the email delivered to users. From this total, Cyren identified 18,070 messages as financial phishing emails, 5,456 as password phishing emails, and 10,617 as general phishing.


Cyren found 5,039 emails delivered to users were found to have malware attachments. While this represents a small percentage of the total email delivered (0.04%), the high level of risk associated with malware actually delivered to users obviously makes this of great concern.

Of these 5,039 messages, 3,389 (two-thirds) included attachments with recognized malware signatures. These previously known threats could include, but are not limited to, ransomware, key loggers, rootkits, Trojans, viruses, and worms.

1,650 of the malware emails delivered to users by the various systems were “zero-day” malware attachments, i.e., new malware with no previously known malware signatures. Despite the lack of existing signatures, Cyren’s security cloud identified these emails as malicious by utilizing proprietary techniques for detection.

The results presented above are averaged across many companies and different deployed security systems. But it is important to note that even when the email security system is the same, results can vary widely, influenced by an organization’s type of activity and user profile, and by security configuration choices made.

Your Filters Are Never Going to Catch It All

Your filters are never going to catch it all, you need a strong human firewall as your last line of defense. You need to train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks.

An infographic, three mini “case studies” with results for different organizations that had deployed security from the same vendor, and a link to the full PDF at the KnowBe4 blog. It's excellent ammo to get budget for awareness training:
Warn Accounting and HR: W-2 Phishing Scams Will Resurface in a Few Weeks

W-2 phishing season is just a few weeks away. For the past several tax seasons, cyber criminals have used sophisticated social engineering tactics to dupe hundreds of payroll and HR departments into providing W-2 data on their employees, which results in the filing of fraudulent tax returns and other identity theft cases.

These attacks are incredibly disruptive to employees, extremely expensive for employers and are completely avoidable with awareness training. The typical W-2 phishing email is spoofed to look like it is from a high-level executive and asks the employee to provide W-2 or other tax-related information either by replying to the phishing email or by sending the information to another email address.

In many instances, the request for the information appears to be urgent, which forces the employee to act quickly. These spoofed messages can be very convincing. The emails have the email address and often contain the actual signature block of the executive that makes the employee believe that the email is authentic.

Warn them to "Think Before They Click" and to follow proper procedure, even though the email might look like it's from the CEO. KnowBe4 has ready-to-send phishing templates including the spoofed CEO email address that you can use to inoculate high-risk employees against this type of CEO fraud.

Here is a post at the KnowBe4 blog that describes a sophisticated CEO fraud attacks and has a ready-to-email message that you can copy:
Can You Be Spoofed? Find Out for a Chance to Win a Cool Star Wars Prize!

Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a "CEO fraud" spear phishing attack on your organization.

KnowBe4 can help you find out if this is the case with our complimentary Domain Spoof Test and enter you to win an awesome First Order Stormtrooper Helmet Prop Replica at the same time. Also, EVERYONE in the US/Canada will receive a real Kevin Mitnick collectible stainless-steel lock-pick business card!

To enter just go here fill out the form, it's quick, easy and often a shocking discovery. Yep, it’s that easy:
Phishing for (and With) Cryptocurrency

Famous investment manias have appeared in markets for tulip bulbs, South Seas real estate, stamps (which is how Charles Ponzi got his start), dot-coms, and sub-par loan derivatives. Now the big thing is alternative currency.

Speculation in Bitcoin and other cryptocurrencies is running white-hot these days, and unfortunately a lot of the (Asian) speculators are simply uninformed ordinary people without much technological or financial sophistication.

Those who fall into the category of the well-intentioned but poorly informed are ripe for the plucking. It's not that there's anything necessarily shady or criminal about cryptocurrencies--there isn't, as their regulation and trading on major exchanges suggests--it's that they're attractive bait for criminals.

Like Willie Sutton ("I rob banks because that's where the money is") they're simply following the cash. There are two things the crooks are after. Most obviously, they may be after the cryptocurrency itself.

The hack of NiceHash, a Bitcoin mining marketplace where people could trade computer time to others interested in mining coin, is a good example of this kind of heist. The crooks got in through social engineering, and they made off with 4,700 Bitcoin being stolen, which is about $63.92 million.

But more insidiously, they may be offering what appear to be legitimate apps an individual investor might use to trade in this new market. One recent case involved Gunbot, a trading app that Fortinet found to be the vector used to distribute Orcus malware, a remote administration Trojan (RAT) that can be used to compromise machines and then move to accomplish other attacks against individuals and organizations. Bleeping Computer has a good rundown here:

May the force be with you.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc.

Quotes of the Week
"My pleasures are simple. I am satisfied with the best." - Oscar Wilde

"Think big thoughts but relish small pleasures." - H. Jackson Brown, Jr.
Quotes of the Month
"Employees make decisions every day that negatively affects their business’s security. As a result, we have known for a while that, to protect organizations, employees need online street smarts. However, the problem is that some in the industry treat employee awareness as a training concern or one-time activity. It is not. It is an ongoing cultural problem." - Wolfgang Goerlich

Thanks for reading CyberheistNews
Security News
New Email Hitman Scam That You Can Safely Ignore

An unusually malicious and implausible phishing scheme is in the wild. Someone emails the victims, tells them that he's a hitman who's been hired to kill them "because your activity causes discomfort to some people."

But fortunately, the hitman has decided, after research, that the victim deserves "a chance," and so he'll default on his contract if you pay him 0.8 Bitcoin. That's against the rules of the hitman guild, he'll never work again, etc., but you deserve a chance.

The email contains most of the red flags one associates with spam: the urgent subject line, the implausibility of the threat, the false tone of taking you into their confidence, the indifferent grammar, the careless punctuation and capitalization.

It's interesting that this threat is delivered as spam, so it's mass-market stuff, with at best indifferent targeting. Needless to say, it's all pure fiction. Anyone receiving it, assuming its patently bogus subject line ("Please take time to read this it might be the most valuable information you'll ever read") got through the spam filters, should ignore it.

You might consider some reassurance for people in your organization, should they be the recipients. Spiceworks reports what they're seeing here:
Make It Easier to Do the Secure Thing

A study by Intermedia, the 2017 Data Vulnerability Report, finds that office workers continue to do many things that jeopardize their organization's security.

The point is not to insist upon perfection, but rather to be aware of the kinds of practices people are liable to slip into, and then devise policies and deliver training that makes it easier to practice sound security.

One of the most common reasons people breach good security measures is simply that they're hard to follow. If security policies make it difficult for people to be productive, nine times out of ten they'll choose productivity, with security taking a backseat.

Sometimes they may even be unaware that the collaboration tools they've found are insecure. They also commit familiar missteps, like reusing the same passwords for work and personal accounts. They store documents in places where they aren't backed up, and then they often neglect backing up altogether.

This suggests a two-pronged approach. First, review your policies and wherever possible reduce the friction they unnecessarily introduce into your workflows. Second, train your people to adopt practices that will make them less susceptible to social engineering. See Intermedia's report here:
On-Demand Webinar: “Counter the Careless Click, Tools to Help You Train Your Users”

If you missed the live event you can watch the webinar now, “Counter The Careless Click, tools to help you train your users” at your convenience.

Erich Kron CISSP, Security Awareness Advocate of KnowBe4, provides a practical session with tips and free tools you can implement now to help you create your “human firewall”.

Cybercriminals are successfully and consistently exploiting human nature to accomplish their goals. Employee training is tied as the third-most-effective method (higher than antivirus) of decreasing the cost of a data breach.*

Many IT pros know users are the weakest link in network security, but don’t exactly know where to start when it comes to creating a security awareness program that will work for their organization.

Erich covers:
  • Current threat landscape
  • Top 5 tips for security awareness
  • How to easily create your security awareness program
  • Outlining how and where tools are helpful
Watch the webinar now:
What Happens in Bosnia Doesn't Necessarily Stay in Bosnia

A new strain of ransomware (it's being called "Spider") is hitting targets in the Balkans. It's a nasty piece of work, and comes with one unusual twist: a short 96-hour window within which it demands the victims respond and pay.

As usual, the ransomware is distributed by email, and the payload arrives in the form of a maliciously crafted Microsoft Office document. The phishbait is calculated to get the unwary business user to bite, typically with the subject line reading "Debt Collection."

Once you're infected and your files are encrypted, the extortionists provide an unusually helpful and comprehensive guide to payment, including a video that walks you through the steps you'll need to navigate Tor, the anonymous network they'll use to process ransom payments.

So step your users through new-school security awareness training, because there's no reason to assume that this campaign will stay in the Balkans. And some general advice: disable macros. See Threatpost's account here:
Wish Your Users Could Roll Back Time When They Click on a Bad Link?

Wouldn't it be great if your users had a way to "roll back time" when they forgot to think before they click on a bad link? Now they can!

KnowBe4 is excited to announce Second Chance, a brand-new security tool for the Outlook email client that you can download and deploy at no cost.

Second Chance takes a smart look at the clicked URL in email, and asks your user if they are sure they want to do this, in case they clicked on a potentially unsafe or an unknown website. It even prompts your user when they click on a Punycode link!

Here's how it works:
  • Checks links originated in email messages, including attached Office Docs and PDFs
  • Ability to customize the message your user gets after clicking a URL
  • You can set "No Prompt" domains
  • Get reporting data on what URLs users chose to abort or continue
Second Chance could one day be the difference between a ransomware infection and a free weekend.

Give it a try!
Cyber Insurance Will Fuel Ransomware Growth in 2018

While the increasing number of publicly disclosed breaches and successful ransomware incidents are driving growth in cyber insurance, there is a risk that this will encourage criminals to target companies with extortion insurance to demand increased payments, state researchers at WatchGuard Technologies.

In countries that require mandatory breach disclosure, cyber insurance helps cover the costs and sometimes the lawsuits that result from these breaches.

But more recently, insurers have promoted optional extortion insurance packages that cover the costs of ransomware and other cyber extortion payments.

“We find it concerning that insurers sometimes pay ransoms to recover their customers’ data,” says Corey Nachreiner, CTO at WatchGuard Technologies.

“While we understand the business decision, insurers currently have no long-term actuarial data for cyber incidents and ransomware. It is possible that paying ransoms will encourage this criminal business model and increase the number of incidents insurers have to handle or the cost of ransoms.” More:
Computer Scientists Develop a Simple Tool to Tell If Websites Suffered a Data Breach

Computer scientists have built and successfully tested a tool designed to detect when websites are hacked by monitoring the activity of email accounts associated with them. The researchers were surprised to find that almost 1 percent of the websites they tested had suffered a data breach during their 18-month study period, regardless of how big the companies' reach and audience are.

“No one is above this—companies or nation states— it’s going to happen; it’s just a question of when,” said Alex C. Snoeren, the paper’s senior author and a professor of computer science at the Jacobs School of Engineering at the University of California San Diego.

One percent might not seem like much. But given that there are over a billion sites on the Internet, this means tens of millions of websites could be breached every year, said Joe DeBlasio, one of Snoeren’s Ph.D. students and the paper’s first author.

Even scarier, the researchers found that popular sites were just as likely to be hacked as unpopular ones. This means that out of the top-1000 most visited sites on the Internet, ten are likely to be hacked every year.

“One percent of the really big shops getting owned is terrifying,” DeBlasio said.
Healthcare Phishing Is Biggest Source of Data Breaches

Hospitals, doctors, dentists, the whole range of healthcare providers have long been attractive targets for cyber criminals. They hold large quantities of personal data, those data have been undergoing protracted and sometimes halting digitization for years, and the information can be used for a wide range of criminal activity.

As is so often the case, the most common way the crooks get access is through email. A survey by HIMSS Analytics finds that email remains the largest source of data breaches in the healthcare sector. Healthcare administrators and providers are aware of this, yet struggle to drive down the rate of successful attacks conducted by email.

Clearly the symptoms indicate training and education. Modern Healthcare describes the study here:
Trojan Malware Attacks by North Korean Hackers Are Attempting to Steal Bitcoin

Researchers at SecureWorks say trojan malware is being distributed in phishing emails using the lure of a fake job ad. A prolific cyber criminal gang with links to North Korea is targeting employees at cryptocurrency firms in a bid to steal Bitcoin.

The spear-phishing attacks are thought to be the work of The Lazarus Group, a hacking operation believed to be associated with North Korea. The cyber operation has previously been linked to high profile attacks, including the WannaCry ransomware outbreak, a $80m Bangladesh cyber bank heist and 2014's Sony Pictures hack.

Uncovered by SecureWorks, the attacks have targeted employees at at least one London-based cryptocurrency company, in what researchers suggest is an attempt to steal Bitcoin. More:
Interesting News Items This Week

Mecklenburg County Ransomware downtime was caused by phishing email:

Social engineering by nation states. Germany unmasks fake Chinese LinkedIn profiles:

Nation-State Believed Responsible for ‘Watershed’ Cyber Attack on Middle Eastern Industrial Plant:

Legal hoops victims experience in phishing BEC compromise scams to reclaim funds:

Phishing Attacks on Bitcoin Wallets Intensify as Price Goes Higher and Higher:

An interesting web-page. It shows you all the information it was able to collect on you — the same information is available to any website you click on:

8 Out of 10 Employees Use Unencrypted USB Devices:

US Charges Three Men for Creating and Running First-Ever Mirai Botnet:

UK Parents, Beware Private-School Fee Scams:

2018 – Six phishing & social engineering trends to watch for:

Bitcoin: $64m in cryptocurrency stolen in 'sophisticated' hack, exchange says:

Good examples of well played Smish:

It's official. Trump Signs Bill Banning Kaspersky Products:

Interesting study on personality and phishing susceptibility:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews