CyberheistNews Vol 8 #19 [Heads-up] Scary New Exploit Hacks LinkedIn 2-Factor Auth. See This Kevin Mitnick VIDEO

CyberheistNews Vol 8 #19
[Heads-up] Scary New Exploit Hacks LinkedIn 2-Factor Auth. See This Kevin Mitnick VIDEO

OK, here is something really scary.

KnowBe4's Chief Hacking Officer Kevin Mitnick now and then calls me with some chilling news. This time, a white hat hacker friend of his developed a tool to bypass 2-factor authentication, and it can be weaponized for any site! My first thought when I heard about this was: "Holy cr@p!"

I asked him: "Can you show it to me?", and Kevin just sent me a video demo, you can see it below.

This particular attack is based on proxying the user through the attacker’s system with a credentials phish that uses a typo-squatting domain. Once the user falls for this social engineering tactic and enters their credentials, their authenticated session cookie gets intercepted and it's trivial to hack into the target’s account.

See it for realz here (video is 6 minutes) and shiver:
Scam of the Week: Phishing Attack Uses GDPR as Bait

Attackers know that companies are sending a lot of emails to customers about GDPR—and that makes them prime opportunity for phishing attacks.

With the looming GDPR May 25 deadline almost here, people are receiving emails from companies changing their data privacy policies and cyber crime is having a field day. Just one example are phishing attacks made to look like Airbnb, according to research from Redscan.

Their research began after an email supposedly sent from Airbnb's customer support line was found to be a phishing attack asking users to update their personal information like credit card information because they were not "GDPR compliant".

The fake Airbnb notification used a spoofed address like "". Airbnb is taking action and has their Trust and Safety team investigating.

Expect other, similar campaigns to hit the wires in the next few weeks. In the meantime, I suggest you send this email to your employees, friends and family. You're welcome to copy/paste/edit:
"There is yet another email scam you need to watch out for. New European data privacy regulation is going into effect May 25th. It's called General Data Protection Regulation (GDPR) and bad guys are using it as bait, claiming you're not compliant and you are violating this new regulation.

Do not click on links in emails, or open suspicious attachments that claim any kind of problem with "GDPR". Delete the email or click on the Phish Alert Button to forward it to IT and delete if from your inbox."
86% of Passwords Are Terrible and Employees Reuse Them All the Time

Troy Hunt, the founder of Haveibeenpwned came out with some brand new numbers that show there's bad news and there's more bad news.

A few months ago he launched V2 of his Pwned Passwords list (half a billion of them) and the idea is to make them into a blacklist, as per the recent NIST guidance:
"When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised."
In other words, once a password has appeared in a data breach and it ends up floating around the web for all sorts of nefarious parties to use, don't let your customers (or users) use that password!""

But he always wondered - what sort of percentage of passwords would this actually block? I mean if you had 1 million people in your system, is it a quarter of them using previously breached passwords? A half? More?

And then he got his hands on a new 6.8m-record data breach from a site called CrashCrate and he could do the math: 86% of subscribers were using passwords already leaked in other data breaches and available to attackers in plain text.

He concludes that traditional password complexity rules are awful and they quote: "must die a fiery death", also because bad guys are more and more into credential stuffing where they are grabbing huge stashes of username and password pairs from other data breaches and seeing which ones work on totally unrelated site.

Employees Reuse Them All the Time

Despite heightened awareness of the security implications many users still continue to reuse passwords and rarely if ever change them, a LogMeIn survey shows.

A new survey by LogMeIn of some 2,000 individuals in the United States, Australia, France, Germany, and the UK has revealed what can only be described as broad apathy among a majority of users on the issue of password use.

Though 91% of the respondents profess to understand the risks of using the same passwords across multiple accounts, 59% said they did so anyway. For 61%, it is the fear of forgetfulness that was the primary reason for password reuse.

Fifty percent say they reuse passwords across multiple accounts because they want to know and be in control of their passwords all the time.

Only 55% of Users Would Change Passwords If They Were Hacked

LastPass research revealed that password behaviors remain largely unchanged from earlier studies two years ago, and many remain in denial that their accounts are even at risk. Even scarier? These habits (or lack thereof) and beliefs are the same whether used for personal or work accounts. Links to this research at the blog:
KnowBe4 Releases Q1 2018 Top-Clicked Phishing Report [INFOGRAPHIC]

This is the second year we've published quarterly results of the most-clicked phishing email results across a few categories. We separate the data into subjects related to social media and general emails from the millions of phishing tests our customers run per year, the third 'In The Wild' category reflects common attacks we see as a result of millions of users clicking the Phish Alert Button on real phishing emails and sending the email to us for analysis.

It is important that even the most vigilant users stay up to date on current threats and specific subjects the bad guys are trying.

Understanding the reasons particular subjects garner more clicks is also a great reminder to ALWAYS think before you click, and you can clearly see hackers are continuously trying to use our psyche against us.

Last quarter's results were a mix of personal and company notifications, showing email continues to be the No.1 attack vector to compromise users. You can use the infographic to send to your users. Available at the blog:
Live Webinar: Fortifying Your Organization’s Last Layer of Security

Cyber security threats continue to proliferate and become more costly to businesses that suffer a data breach. When it comes to combating these growing risks, most organizations continue to place more trust in technology-based solutions than on training their employees to be more aware of the threat landscape and able to recognize the red flags in cyber breach attempts.

Join Erich Kron, Security Awareness Advocate at KnowBe4, as he explains the emerging threats, the strengths and weaknesses that users bring to an organization's security culture, and strategies to fortify your organizations last layer of security, your users.

In this webinar you will learn:
  • Current and emerging attack landscape and how organizations are coping
  • Right and wrong approaches to changing employee behavior
  • How to build a successful Security Awareness Training Program
Date/Time: Wednesday, May 23, 2018, 1:00 pm ET
Register Now!
New Phishing Security Test: See How You Compare to Peers in Your Industry!

We've got something really cool for you: the new Phishing Security Test v3.0

Sending simulated phishing emails is a fun and an effective cybersecurity best practice to patch your last line of defense... your users.

Find out the Phish-prone percentage™ of your organization with our updated Phishing Security Test that now includes New Industry Benchmarking. See where you stack up! Industry Benchmarking enables you to compare your organization’s Phish-prone percentage with others in your industry.

With Our Updated Phishing Security Test:
  • You can customize the phishing test based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry
The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

Start phishing your users now. There is no cost.

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"The highest activity a human being can attain is learning for understanding, because to understand is to be free." - Spinoza, Dutch Philosopher (1632 - 1677)

"Peace cannot be kept by force; it can only be achieved by understanding." - Albert Einstein

Thanks for reading CyberheistNews
Security News
Twitter's Password Warning

Last Thursday, May 3rd, Twitter advised its users to change their passwords. That's a lot of users: 336 million. What happened was this: Twitter discovered "a bug that stored passwords unmasked in an internal log." By "unmasked" they mean "unhashed," and so in principle more accessible to unauthorized access.

Twitter is confident no one got to that internal log, and they say they've securely deleted it, but that they're advising password changes "out of an abundance of caution."

Users, including organizational users, should do at least the following: Change your Twitter password, as advised. You should also change your password on any other accounts where you've reused it. Password reuse is always a very bad idea, so use the occasion to come up with a new password for each account. Train those users to create strong passwords.

It's worth noting that Twitter took prompt action to fix the problem once they discovered it. That sets a good example for any organization dealing with a security issue like this.
Nigerian Gangs and Business Email Compromise

419 scams, also known as Nigerian prince scams, have long been exposed as frauds, but the gullible and tender-hearted continue to fall for them.

Nigerian prince scams are run by organized crime, and the gangs behind them have moved into a newer, more lucrative market: business email compromise (BEC). Organizations should consider training their employees to recognize and refuse the scam.

The FBI finds that BEC usually occurs in five typical scenarios:
  • Businesses working with an international supplier,
  • A senior executive requesting a wire transfer,
  • Fraudulent email to business contacts sent through a compromised email account,
  • Impersonation of an executive or an attorney, and
  • Data theft.
There are several things an organization can do to make itself a harder target. One is a matter of technology and policy: enable two-factor authentication for services like Office 365 and Google Suites.

Another thing an organization can do is provide employees with realistic training in the ways of the gangs. Alert them about the FBI's five BEC scenarios. Don't neglect awareness training that covers old-school 419 scams.

In the end, defense against the gangs requires well-informed and alert users. As CrowdStrike's vice-president of intelligence Adam Meyers told the New York Times, "It's really hard to stop; you can't stop it with anti-virus or any kind of software, it's really kind of a human problem." WIRED has the story:
Hacking to Get-Out-of-Jail-Free

Remember “Ferris Bueller’s Day Off”? Remember where Ferris hacks into the school's network and changes his attendance record from an unacceptable nine days' absent to a more respectable two? That’s basically what Konrad Voits attempted to do for an inmate at the Washtenaw County Michigan Jail.

Using a cleverly crafted URL, social engineering and a touch of malware, Voits, of Ann Arbor, Michigan, successfully created a phony website with a clever domain substituting 2 Vs instead of a W at the end of Washtenaw.

Eventually Voits was able to take control of the county website, along with access to personal information on present and past county employees. He was also able to hack into the jail management software and tried to change the release date for an unnamed inmate.

Fortunately, alert jail personnel noticed the tampering, and no one was released early. After an investigation the hack was attributed to Voits. He was subsequently sentenced to eighty-seven months in federal prison--that’s seven years and three months. He was also fined $235,488 for costs associated with the investigation and breach.

Many have the technical know-how to register a domain name and purchase tools on the dark web. However, just because we can doesn’t mean we should. The alert county employees who spotted the scam are a good example: pay close attention to typography. In this case that attention to detail stopped a jail break.
Piper Data Breach Report March 2018

Piper Jaffray conducted their monthly analysis of breaches reported in the month of March. There were 90 breaches in March, which was down 55.2% Y/Y, but records exposed was significantly higher due to the mega breach at MyFitnessPal/Under Armour, in which 150M records were compromised.

Overall breach activity (90) has remained below the 12-month rolling average (109) since August 2017, though it is above the lowest monthly total of 58 recorded in November 2017.
SANS Announced the May Edition of Ouch! - GDPR

They said: "We are excited to announce the May edition of OUCH! - GDPR. As many of you know, the EU’s new General Data Protection Regulation (GDPR) takes effect this month, 25 May. This is a huge deal and impacts people and organizations around the world. We also know there is a lot of confusion about it. That is why we are thrilled to have GDPR expert Brian Honan as our Guest Editor as he gives a simple overview of what GDPR is and what it means to you. Download and share with family, friends and co-workers.":
Irish Netflix Scam

Netflix subscribers in Ireland have been receiving bogus email messages informing them that their payment method had failed, and that their account has been cancelled. The email contains a payment link the customer is encouraged to clicking. The unsuspecting target is taken to an authentic-looking page where they're asked to enter credit card information along with other personal data.

The fake page looks legit, complete with a phony security certificate. Software and internet security company ESET urges targeted Netflix users to ignore the scam emails and not to use email links to sign into their Netflix account.

And above all, never provide payment details. The cautionary story is good for any organization to share with its employees. You may not use Netflix at work, but the approach is a common one: tell someone a service they use is about to be taken away, and then bait them into clicking a malicious link. DublinLive has the story:
New "2018 Safe Web Browsing" and "Ransomware" Training Modules

New "2018 Safe Web Browsing" and "Ransomware" Training Module have been released with the following features in all 20 of the language versions:
  • Local glossary updates and additions
  • Localized currency examples
  • Relatable names of characters
  • Region specific URL's
  • Global date and time conventions
  • Localized email addresses
  • Regional example websites
More about this, and see the other 4 foundational training modules that are available in 20 languages:
What Our Customers Say About Us

"Hello Stu, You email made me smile. I am a very happy camper. A few weeks a go we did a company-wide phishing exercise. The feedback that I got from my staff was they are very happy with the product and your team provided great support. Over the next couple of months we are planning on focusing on the education components. Thanks for checking in!!" - S.N. Chief Security Officer

"We are really excited to begin the full deployment of the training. After some policy updates that were required, information that needed to be gathered, and a citywide announcement, we are ready to roll out the training beginning the third week in May.

I’ve been constantly impressed with the level of attention I’ve received from members of your team, and during my review of the training content I was surprised by the quality and quantity. I’m really looking forward to seeing the response from our users (maybe not so much the complaints), and feel that it will raise the awareness level across the city.

Next week we are rolling out the Phish Alert button to all users, so soon we can stop the forwarding of suspected phishing emails to random members of IT. You have a great thing going, keep it up!
- Thank you, H.L. Network Support Specialist IT
Interesting News Items This Week
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Domain Spoof Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews