CyberheistNews Vol 8 #15 Scam of the Week: Fiendishly Clever Gmail Phishing You Need to Know About

CyberheistNews Vol 8 #15
Scam of the Week: Fiendishly Clever Gmail Phishing You Need to Know About

Twitter user @_thp shared a recent phishing scam that they received; and it’s so fiendishly clever that it’s gone viral. They wrote: "This is the most clever phishing scam I've ever encountered and for a second it almost got me." Now, that is perhaps a bit exaggerated, but you have to admit it's something a lot of users will likely fall for.

Here is how this scam works. The victim receives a text asking whether they’ve requested a password reset for their Gmail account - and, if not, to reply with the word ‘STOP’.

Employees who have not received any new-school security awareness training could likely fall for this social engineering tactic, and will respond with ‘STOP’. Next, they are urged to send the 6 digit numerical code in order to prevent the password being changed.

Of course what is really happening is that the scammer has requested a password change on their account. That request sends a code to the real account owner to verify that they actually want the password changed. And by sending the attacker that code back, you’re enabling the bad guys to complete the password change, and now they have access to the account and all the email.

I suggest you send this email to your employees, friends and family. You're welcome to copy/paste/edit:

"There is a new scam where hackers send you a text that asks you about a password reset on your gmail account, and if you did not, text STOP. This is a scam. The bad guys asked for that password reset and now want you to send them the authorization code! Don't fall for it.

Remember that Gmail or any other web email service will never ask if you *don’t* want to do something with your account. You didn’t ask for a password reset, so you shouldn’t be asked about one.

Do not reply to the text (doing so will tell the scammers that they have reached a valid number). And to prevent losing your account to bad guys, it's a very good idea to have 2-step verification set up on your Google account."

Post with screenshot at the KnowBe4 Blog:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Prediction: In a Few Months Every Form of Cybercrime Is Going to Increase Noticeably

Brian Krebs wrote a new post with a 2018 outlook that is a bit concerning:

"Prediction: In a few months, the volume of spam, phishing and just about every form of cybercrime is going to increase noticeably. New privacy rules coming out of the EU are going to take away the single most useful tool available to security experts and researchers: WHOIS. Here is the story:

Discussing GDPR, The European Union's General Data Privacy Regulation goes into effect on May 25th. It will have global implications that few businesses will escape. Any business that handles data on any citizen of the European Union will be subject in some fashion to GDPR.

Most organizations are aware of the regulatory and litigation risks GDPR poses. Fewer anticipate the criminal social engineering they can expect to encounter as GDPR reaches full implementation.

A full array of scams is expected, with phishing emails calculated to exploit business's very reasonable fears that they might be found out of compliance, and thus face heavy fines. You can expect, for example, to receive contacts that claim to be from Europol or other police agencies telling you you're in violation of GDPR and that you should pay a fine immediately to avoid further, more punitive prosecution. Alert your employees to the problem.

This can be expected to be a seasonal threat. It will increase as we approach May 25th and continue into the early months of implementation. Infosecurity Magazine has a story on how scammers can be expected to exploit fears of liability under GDPR:
[LIVE Webinar] Levers of Human Deception: The Science and Methodology Behind Social Engineering

No matter how much security technology we purchase, we still face a fundamental security problem: people. This webinar will explore the different levers that social engineers and scam artists pull to make us more likely to do their bidding.

Join Stu Sjouwerman, CEO at KnowBe4, and Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4, as they provide fun and engaging examples of mental manipulation in everyday life: from the tactics used by oily car dealers, to sophisticated social engineering and online scams.

Additionally, we'll look at how to ethically use the very same levers when educating our users. Key takeaways:
  • The Perception vs. Reality dilemma
  • Understanding the OODA (Observe, Orient, Decide, Act) Loop
  • How social engineers and scam artists achieve their goals by subverting OODA Loop's different components
  • How we can defend ourselves and our organizations
Date/Time: Wednesday, April 25, 2018, 2:00 pm ET
Register now - limited space available!
IT Pros Are Loving This New Tool: Mailserver Security Assessment [It's Free]

Do you know what's getting through your mail filters?

KnowBe4 is excited to announce that now you can use our brand new, innovative Mailserver Security Assessment (MSA), to help you assess your organization’s mailserver configuration settings and check the effectiveness of your email filtering rules.

With email still the #1 attack vector used by the bad guys, MSA helps you to see what types of messages may make it through your filters from the outside.

A recent Cyren Email Security Gap Analysis discovered an astounding average miss rate of 10.5% in which enterprise email security systems missed spam, phishing and malware attachments.

MSA gives you a quick insight at how your mailserver handles test messages that contain a variety of different message types including email with attachments that contain password-protected, macro zipped, and .exe files or have spoofed domains.

Here’s how MSA works:
  • 100% non-malicious packages sent
  • Select from 40 automated email message types to test against
  • Saves you time! No more manual testing of individual email messages when you use MSA's automated send, test, and result status.
  • Validate that your current filtering rules work as expected
  • Results in an hour or less!
Find out now if your mailserver is configured correctly, many are not!
Test my mailserver:
Going to RSA in San Francisco This Year? Here's Your Exhibit Hall Pass

Drop by KnowBe4’s Booth 5004, North Hall at the Kevin Mitnick New Book Signing! Make a selfie with the ‘World’s Most Famous Hacker’ and get a signed copy of his new book:

Tuesday, April 17, 3-6pm at KnowBe4’s Booth.

Get your light-up "Axe To Grind With Ransomware!" swag, and see a demo of the innovative KnowBe4 Security Awareness Training Platform to train and phish your users. Plus, be entered to win a DJI Spark Drone.

Don’t have a pass yet? We’ve got you covered. Use code X8EKNOWB to register for your complimentary Exhibit Hall Only Pass. We'll see you at Booth 5004:
Quotes of the Week
Legendary quotes from James Mattis, four-star Marine general turned Defense Secretary.

"I don't lose any sleep over the potential for failure. I cannot even spell the word."

"The most important 6 inches on the battlefield is between your ears"

Thanks for reading CyberheistNews
Security News
Exorcise Ghost Users

A study of one-hundred-thirty companies by Varonis finds that two related problems remain widespread in corporate networks. First, many businesses seem to have difficulty following the least privilege best practice. That is, they leave on average 21% of their folders accessible to everyone. Second, they leave a large number of inactive, "ghost user" accounts on their systems.

34% of all users were found to be ghosts. These two issues can make it easier for attackers to find accounts they can exploit to access sensitive information. The remedy is twofold: implement least privilege policies, and purge the ghosts from the machines. Dark Reading has the story:
SAKS and Lord & Taylor Retail Breach Traced to Phishing

It came to light on April 1st that two retailers owned by the Hudson's Bay Company, Lord & Taylor and Saks, were breached. On March 29th the JokerStash "hacking syndicate," which is also known as "Fin7" began offering the first tranche of what are believed to be more than 5 million payment cards for sale on the dark web.

125 thousand records have been released for sale so far. The rest are expected to appear on the block within the next few months. The Hudson's Bay Company says it's addressed issues with network security and continues to investigate.

The retailer will offer customers whose paycard data were lost the customary post-breach help, including identity-protection and credit-monitoring services. How the criminals accessed the accounts remains under investigation, but it appears to have been a phishing expedition.

It's thought that an employee bit on some plausible phishbait, and that's how the criminals were able to establish persistence in the retailers system for more than a year. As always, employee awareness training, the more realistic and interactive the better, is an important preventive measure against phishing. PYMNTS has the story:
Do Your Users Know What to Do When They Receive a Suspicious Email?

Should they call the help desk, or forward it? Should they forward to IT including all headers? Delete and not report it, forfeiting a possible early warning?

KnowBe4’s Phish Alert add-in button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click!
  • Reinforces your organization’s security culture
  • Users can report suspicious emails with just one click
  • Incident Response gets early phishing alerts from users, creating a network of “sensors”
  • Email is deleted from the user's inbox to prevent future exposure
  • Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)
This is a great way to better manage the problem of social engineering. Compliments of KnowBe4!

Here is where you download your Free Phish Alert Button.
Vanity and Gullibility

Celebrities are as common as phishbait as they are as clickbait. In highly targeted scams the email approach will play upon the recipient's weaknesses. Sometimes that weakness is greed, as in the Nigerian prince emails. Sometimes it's loneliness, as in romance scams. Sometimes it's fear, as with scareware.

But a social engineer can also play on your vanity. If you received a convincing looking contact from some academic star, for example, who seemed to be expressing an interest in you and your work, would you click? You might. One phishing scam impersonated Larry Summers, the economist who was formerly Secretary of the Treasury and President of Harvard University.

One journalist found her academic vanity flattered and fell for the social engineering. Encourage your employees to think about how they might be vulnerable, and help them arm themselves in advance with the kind of healthy skepticism realistic anti-phishing training can help develop. WIRED has an interesting first-person story:
Watering Holes Are Filling, Again

Watering hole attacks are a form of social engineering that fell out of favor over the last two years. But it's back, according to researchers at Morphisec, and you should help your employees recognize it. In a watering hole attack criminals load a website with malware designed to infect visitors with a malicious payload.

The infection might require some user interaction, such as following a subsequent link or downloading a document. In these cases a watering hole attack resembles the more common phishing attack. In other, more dangerous cases, sophisticated attackers can compromise visitors to a site in a simple drive-by. Some of the watering holes are compromised versions of third-party sites.

Others are built from the ground up by attackers to draw their most desirable marks into the watering hole. The most common infection vector has been a Flash vulnerability. The criminals who operate watering holes will often take advantage of the fact that the patching cycle in most businesses can typically be as long as six weeks.

Once the exploits are addressed, that attackers move onto another one. Many watering holes take advantage of the same kinds of gullibility phishing attacks make use of. Training in awareness of and resistance to social engineering can be part of a business's defense against watering hole attacks. ITWeb has the story of how watering holes are reappearing:
FIS Group CEO's Email Compromised

The CEO of investment house FIS Group has had her email account compromised. The account has been used in widespread phishing attempts that target the CEO's contact list. Those contacts received an email that informed them a document was ready for their review. A link in the email took them to what misrepresented itself as a DocuSign portal.

The link that bogus portal proffered was, of course, malicious. This is another case in which wariness about links in email and an appreciation of the techniques of social engineering can help insulate an organization from the threat. Information Security Buzz has a brief story on the incident:
Ransomware Attacks for Local Governments and Public Agencies: A Primer

Background. The recent ransomware attack on the City of Atlanta highlights the fact that the threat of ransomware affects all organizations, regardless of the nature of their industry, business, or operations, and that political subdivisions and quasi-government entities face particular challenges in protecting themselves and responding to attacks.

Counties, cities, political subdivisions, and nonprofit corporations have become a favorite target for cybercriminals because they are increasingly leveraging technology to collect, store, and use personal information to deliver services and programs to individuals, and because their networks tend to run on a complicated fabric and interconnectedness of legacy systems that are difficult to protect and defend.

As a result, attackers are targeting emergency response systems, disaster response systems, public utilities payment and information systems, police department systems, election and voter information systems, medical information systems, and general operating systems of public entities.

A recent International City-County Management Association survey of chief information officers found that about 44 percent of local governments reported experiencing daily cyber-attacks (without regard to type or threat vector), with about one-quarter of local governments reporting attacks at least as often as once an hour.

Yet, less than half of the local governments surveyed said they had developed a formal cybersecurity policy, and only 34 percent said they had a written strategy to recover from breaches. Full Story:
30-second Survey: "I wish I had a tool to..."

When an end-user fell for a social engineering attack, ever had that feeling: "I just wish I had a tool to...." but lacked that tool? Take 30 seconds and let us know what that tool would be?

Please let me know at this link to Surveymonkey. It may be redirected, so please copy and paste this in your browser. Thanks very much in advance!
10 Ways to Develop Cybersecurity Policies and Best Practices

ZDNet had a good article with reminders that today's security challenges require an effective set of policies and practices, from audits to backups to system updates to user training. Here are 10 ways to make sure you're covering all the bases. We highlighted out #5 as we're partial to that one. :-)

5. Provide new and continuing security education

"Cybersecurity education should be a staple of every new employee orientation, with new employees signing off that they have read and understood the training. On an annual basis, a refresher course in cybersecurity practices should also be given to employees company-wide. This ensures that security policies and practices stay fresh in employees' minds, and that they understand any policy additions or changes." Here are the other 9:
Research: Employee Compliance Is the Main Challenge to Implementing Cybersecurity Strategy

A recent Tech Pro Research poll showed that many companies are creating cybersecurity strategies, but enforcing them is the real challenge.

It's one thing for a company to create a cybersecurity strategy, but it's another thing entirely to put strategy into practice. Recently, ZDNet's sister site, Tech Pro Research, conducted a poll to see what security tactics companies are using, and how they're working out.

Just as many respondents (39%) said their company has a formal, regularly updated cybersecurity policy as those who said their company has no policy. Others said their company has a policy, but it doesn't get regular updates.

In terms of what's covered in those policies, automatic software updates and employee training were the two most common cybersecurity tactics used by respondents' companies.

Among respondents whose companies had added security measures in the past year, new firewall or antivirus products and additional employee training were most common.

This shows that businesses do realize the importance of getting employees involved in cybersecurity. However, when asked about any challenges to implementing strategies, 58 percent said the hardest part was getting employees to comply.

The infographic below contains selected details from the research. To read more findings, plus analysis, download the full report: Cybersecurity strategy: Common tactics, issues with implementation, and effectiveness. (Tech Pro Research subscription required.)
What Our Customers Are Saying About Us

"Hey Stu I have been looking forward to this email. I want to praise Hunter Martin for his hard work in getting this going for me. I have had an extremely busy work and personal life since we got KnowBe4 and Hunter knocked it out of the park. I don’t think we would be running on KnowBe44 without him.

I have never worked with a more enthusiastic sales team or helpful support team in my entire professional life. The biggest fear I had working at this company was having my users fall for any of the various tricks employed these days and KnowBe4 was the perfect tool to test and train them.

The response from the users who have taken the training is great and the tools are easy to use. As it stands now today is my last day here due to life circumstances taking me back to my home state, but I know my users have been prepared better as I depart the company.

I don’t know what path my career is going to take once I get back as I have nothing lined up but I know I would strongly recommend KnowBe4 based on my wonderful experience with the company and product." - T.J. IT / Systems / Network

"As you know, we officially became a customer of KnowBe4 this past week, and we are very happy to join your team. I’m so happy with the way I’ve been treated and how invested your company has been in our success.

I wanted to specifically tell you about my experiences with Bruce. I know that this process was long and tedious, and probably frustrating at times for him. In spite of these circumstances, Bruce was always available for us; interacting with me in a positive manner, always willing to help, and so great to work with. He is an amazing ambassador for your company.

He exemplified integrity, ethics and intelligence. He represented KnowBe4 with professionalism and personality, and it was an absolute pleasure to work with him. If he is indicative of the culture that KnowBe4 espouses, I am confident that the next three years will help us mature our Training & Awareness program in a myriad of ways. - A.K. Cyber Security Outreach Manager
Interesting News Items This Week

Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • Here is a fun way for kids to get trained to stay safe online: Jim Davis and Garfield. Check out their fun intro video:

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Domain Spoof Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews