CyberheistNews Vol 8 #22 Which Users Will Cause the Most Damage to Your Network and Are an Active Liability?

CyberheistNews Vol 8 #22
Which Users Will Cause the Most Damage to Your Network and Are an Active Liability?

The statistic that four percent of employees will click on almost anything, with “Free Coffee” and “Package Delivery” taking some of the top spots among phishbait subject lines, may not sound like much.

However, keep in mind the most successful marketing campaigns only achieve around two percent. With double the response of most marketing initiatives, it's no wonder that the phishing attacks keep coming.

That statistic comes from Verizon’s 2018 Data Breach Investigations Report. The report showed that the number of phishing emails continues to grow. The victims include government agencies that house some of our most sensitive records. The report also reveals that one quarter of all malware detected was ransomware, and it indicated that 68 percent of breaches go undetected for months.

The answer to fending off phishing campaigns may lie in the same employees who choose to click. Using a type of crowd-sourced security that turns employees into human sensors, could be the answer.

With new-school security awareness training, employees can learn to recognize phishing attempts and alert IT of the impending threat. This type of alert gives you an advantage leading to a faster response. Full blog post:
"Good Enough" Built-In Windows Antivirus Software Argues for Security Awareness Training

A surprising number of security experts agree that most users shouldn’t pay for a traditional antimalware suite. Windows 10's built-in protection, plus good security habits, are enough. Building good habits is where security awareness enters that picture...

As it turns out, Windows Defender has a lot to offer businesses and non-profit organizations, too. Special facilities comprise Microsoft’s Windows Defender Advanced Threat Protection (ATP) that goes well beyond the capabilities of many endpoint solutions with preventive protections, post-breach analysis, automated investigation and response, security intelligence and more.

Organizations that license Windows Pro or Enterprise, or that obtain such licenses through subscriptions to Microsoft 365, can use these facilities for little or no extra cost.

At the same time, they can also lower the risks of successful breaches or compromises through security awareness training. Overall costs involved will usually be less than those for a purely technical, software-based endpoint security solution.

The net result is reduced exposure to risk for companies or organizations savvy enough to invest in their people, who present the biggest attack surface of all.

Are you going to upgrade to Windows 10, rely on Defender and use your AV budget for new-school security awareness training?

Full post with URLs to independent tests and link to the HackBusters Discussion forum at KnowBe4 blog:
Lawyer: GDPR Will Affect Ransomware Reporting in U.S.

The European Union's General Data Protection Regulation will affect how U.S. companies deal with the rising threat of ransomware attacks, according to a leading privacy lawyer, by requiring the reporting of incidents even if the impact on data or systems is minimal.

If the event involves an “unplanned unavailability of that data,” entities will need to report the incident under the EU GDPR, said Harriet Pearson of the law firm Hogan Lovells.

Pearson said the GDPR's expansive approach to data covered by the rule -- including availability as well as confidentiality -- will likely alter how many U.S. companies deal with a ransomware attack.

Currently, if an organization determines the event had no significant impact on data or systems it may not report it.

Pearson said the strict 72-hour reporting requirement of the GDPR might provide some “relief” because attacked organizations will report quickly without much information about what happened, and then will conduct an internal risk assessment and can withdraw the report if minimal effects are found.

She said the EU “will start taking reports quickly without a lot of detail,” adding that she expects “fairly sparse reports” now that the EU rule has gone into effect last Friday.

And on cue, Both Google and Facebook were sued for each almost 4 Billion dollars on GDPR-day, May 25th 2018. More detail with links:
Surprise! What's the Country Where All the CEO Fraud Gangs Are?

A new study by Agari concludes that, despite all the attention nation-state espionage services have been getting for their phishing attacks, the big threat still comes from criminal gangs.

Here is your quick Executive Summary:
  • 97% of people who answer a Business Email Compromise (aka CEO fraud) email become victims
  • The average BEC incident included a payment request of $35,500 (ranging from $1,500 to $201,805)
  • 24% of all observed email scam attempts between 2011 and 2018 were BEC even though BEC only started in earnest in 2016
And What's That Country?

Many of those criminal gangs continue to operate from Nigeria, of the ten gangs engaged in the email scams that Agari studied, nine were based in Nigeria. Conclusion: the old Nigerian 419 scam has upgraded big time.

While business email scams are relative newcomers to the world of online crime, becoming popular only as recently as 2016, they're now the most common kind of attack, accounting for 24% of phishing emails.

Patrick Peterson, Agari's Executive Chairman said: “The sad irony is that these foreign adversaries are using our own legitimate infrastructure against us in attacks that are far more damaging and much harder to detect than any intrusion or malware.”

BEC, in which the scammer poses as an executive of the business being phished, has the greatest potential for a large, immediate payout. All organizations should make it their policy never to use email to direct fund transfers, and they should train their employees to be aware of this social engineering tactic.

Other scams have similar potential to bankrupt their targets. Real estate brokers, for example, have been targeted with malicious attachments that enable criminals to conduct man-in-the-middle account takeover scams that hit escrow accounts. Continued at the KnowBe4 blog:
Don’t Miss the June Live Demo: Simulated Phishing and Awareness Training

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, June 6, 2018, at 2:00 p.m. (ET) for a 30-minute live product demonstration of KnowBe4's Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users.
  • [NEW] Delegated Permissions now part of the Security Roles feature allows you to create custom admin roles for Target Groups in your organization.
  • Improved Vishing (voice phishing) feature supports domestic and international dialing with 10 commonly used vishing templates.
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting, with great ROI.
Find out how 18,000+ organizations have mobilized their end-users as their last line of defense.

Register Now:

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Either write something worth reading or do something worth writing about." - Benjamin Franklin

"The noblest pleasure is the joy of understanding." - Leonardo da Vinci

Thanks for reading CyberheistNews
Security News
Why are Antivirus Companies Promoting Security Awareness Training?

Here is some great ammo to get more budget for IT Security.

Today, the most surprising companies have jumped on the security awareness training bandwagon. Antivirus companies like Sophos, Kaspersky, Webroot and ESET are loudly promoting the fact that end user training is a must.

Why surprising?

Well, until recently, the AV industry considered that promoting awareness training was an embarrassing admission that their product was not effective.

By now they seem to have realized that their antivirus product is not the "end-all" and really just only one layer of the defense-in-depth puzzle. There is no way that AV tools can be effective protection against social engineering. So, users need to be trained against that type of attack.

An ESET survey conducted this month sought to gain some insight into how much training organizations provided their employees. 17.9% said "a lot," 32.5% said "some," 16.3% said "a little," and a full third, 33%, said "none."

This is remarkably risky.

The obvious risk is that an organization will find itself compromised. But that might not be the biggest risk. Security training has increasingly become an important part of legal standards of "reasonable" protection measures.

Organizations that fail to provide it expose themselves not only to being hacked, but to civil lawsuits, breach of contract claims, and considerable regulatory penalties.

A number of US states have laws that demand some form of security training. Organizations flout these at their risk. New-school security awareness training that awakens employees to the threat of phishing and other forms of social engineering is an important and surprisingly affordable way of managing risks like that.

All these above factors are excellent ammo to get more budget, and the one thing that gives you maximum bang for your buck is training. The first comment that will come out of your user's mouth is: 'How do I share this with my family?" We have an answer for that. And... phishing your users simply is a lot of fun!
A Banking Trojan Goes Phishing

Roaming Mantis has drawn notoriety as a banking Trojan. Its criminal controllers, however, have recently given it some new functionality: phishing and cryptomining.

The criminals have added a phishing option for use against iOS devices, and a cryptomining option that works against PCs.

Roaming Mantis has been "mostly mobile," researchers say. It's also focused on Android devices, so the iOS phishing represents a departure. Successful phishing directs users to a malicious site that harvests usernames, passwords, paycard numbers, paycard expiration dates, and CVVs.

Researchers at Kaspersky Labs find that Roaming Mantis is capable of hitting targets that use a remarkably large range of languages: Arabic, Armenian, Bulgarian, Bengali, Chinese (both traditional and simplified), Czech, English, Georgian, German, Hebrew, Hindi, Indonesian, Italian, Japanese, Korean, Malay, Polish, Portuguese, Russian, Serbo-Croatian, Spanish, Tagalog, Thai, Turkish, Ukrainian and Vietnamese.

Threatpost has the story:
Shortened URLs, Big Problems

This one is a case of relatively innocent intentions gone bad. The good intentions are from CoinHive, which has developed and is offering a URL-shortener that is designed to help site owners monetize their traffic.

It works, according to CoinHive, like this: "If you have an URL you’d like to forward your users to, you can create a shortlink to it.

The user has to [solve] a number of hashes (adjustable by you) and is automatically forwarded to the target URL afterwards." Hashes solved equals coin delivered.

Unfortunately the bad reputation of URL shorteners is borne out in the misuse to which is being put. Unscrupulous actors, including some site owners, have been able to repurpose the URL shortener as a kind of cryptojacking watering hole.

Sucuri researchers have found that some sites are effectively bypassing the necessary user interaction by shrinking the hash-solving progress bar to an inconspicuous one-pixel image. Thus unwary visitors who've not interacted with CoinHive find themselves cryptojacked.

It's more annoyance than serious threat, but it's worth a bit of user awareness training. Help Net Security has the story:
Wish Your Users Could Roll Back Time - When They Clicked on a Bad Link?

Wouldn't it be great if your users had a way to "roll back time" when they forgot to think before they click on a bad link? Now they can!

KnowBe4 is excited to announce Second Chance, our new security tool, can now be used with Outlook, Office 365, and Gmail email clients to download and deploy at no cost.

Second Chance takes an intelligent look at the clicked URL in email, and asks your user if they are sure they want to do this, in case they clicked on a potentially unsafe or an unknown website.

With the URL Unwinding feature, shortened and re-written links gives users the original link and the location the link will take them. It even prompts your user when they click on a Punycode link!

Second Chance could one day be the difference between a ransomware infection and a free weekend.
Give it a try:
Hashtag Phishing Is on the Rise – Five Ways to Protect Your Brand

Social media phishing is becoming a credible threat and brands need to be equipped to combat attacks, says Tim Bentley. Businesses can defend themselves against image hijacking quite easily, here’s how.

Hashtags are a great way to promote your brand on social media – they create buzz, help fans follow your company’s activity and encourage engagement. But brand hashtags can also put your organization at risk, no company can own or control the hashtags it promotes and bad actors take advantage of that.

Once your social media team invests in making a hashtag popular, cyber-criminals can hijack it to target your fans and followers with malware and phishing links. These types of attacks are on the rise.

According to Proofpoint research, social media phishing links grew 70% and fake customer support accounts used for phishing jumped 30% from Q3 to Q4 in 2017. Story at:
What KnowBe4 Customers Say

"Last week I had the great pleasure of attending the KnowBe4 conference in Orlando. This was without a doubt the best tech conference I have ever attended. Not only were there absolutely dynamic speakers, all attendees were treated to the best food! Link:

"Adding Security Roles is great. This will allow me to delegate access and responsibilities and prevent me from being the sole source and primary contact for all that KnowBe4 provides. Thanks!"
- T.D. Senior Director, IT
Interesting News Items This Week
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews