CyberheistNews Vol 8 #34 [VIDEO] The DNC Thought It Was Under Attack (It Was a Red Team Phishing Test...)

CyberheistNews Vol 8 #34
[VIDEO] The DNC Thought It Was Under Attack (It Was a Red Team Phishing Test...)

This is a great lesson for all of us. And it could happen to anyone. Read it, watch the 4-minute video with the Top 10 Security Awareness Training Program Fails, and make sure to "not be that guy". Here is what happened:

The FBI received a report from the US Democratic National Committee (DNC) that unknown actors sought access to a voter database through a phishing campaign.

Security firm Lookout was reported to have warned the DNC Tuesday that it had found a fake login page for VoteBuilder, a tool the party uses so its campaigns can better target voters.

The attackers' apparent aim was to obtain credentials they could use to access the party's voter information. The DNC's Chief Security Officer Bob Lord briefed party officials on the attack yesterday, then made a public statement denouncing the current US Administration for not protecting the political process from hackers. The party also spoke about the incident to a number of media outlets.

What happened was a phishing test, an exercise leaders mistook for the real thing.

But soon it developed that there was no actual attack. What happened was a phishing test in progress, an exercise that party leaders mistook for the real thing. The DNC leaders say they didn't authorize a phishing test. Being caught out like this is embarrassing to any organization. CNN called the episode a "SNAFU," which seems about right.

The WSJ explained a day later: "One person familiar with the matter said the test site was created at the request of the Michigan Democratic Party by DigiDems, a volunteer group of technology experts that does work for the Democratic Party.

The DNC wasn’t notified of the test, which led to the confusion over the spoofed site’s origin, this person said. In a statement, the Michigan Democratic Party confirmed that its “digital partners” ran the test out of an abundance of caution.

“Despite our misstep and the alarms that were set off, it’s most important that all of the security systems in place worked,” Brandon Dillion, the state party’s chairman, said. “Cybersecurity experts agree this kind of testing is critical to protecting an organization’s infrastructure, and we will continue to work with our partners, including the DNC, to protect our systems.”

As a result of the incident, the DNC is crafting new rules for state parties and other campaign organizations that want to run cybersecurity exercises, according to Politico. They will now be required to notify DNC headquarters of their plans.

Awareness training is important, but it's important to do it right. When an organization runs interactive, realistic training, it's got to know, at the appropriate levels, what's going on. This kind of "scoring into your own goal" is easy to commit, but it's also easy to avoid. This was a violation of Rule No. 8: "Neglecting to Inform Key Stakeholders".

Here is a 4-minute video with the Top 10 Common Security Awareness Training Program Fails:

KnowBe4 offers both the DNC and RNC a free unlimited account, so they can train everyone—both full time and volunteers—and enable all employees to make smarter security decisions, every day. Call me and we will get it set up. "We must, indeed, all hang together, or most assuredly we shall all hang separately." - Ben Franklin.
[INFOGRAPHIC] Cybercrime Pulls In a Million Bucks a Minute

Here is some excellent ammo to get InfoSec budget dollars freed up.

More than a million dollars is lost every minute to cybercrime. That staggering stat comes to us by way of RiskIQ who published new research showing that despite businesses spending roughly 171K every minute on cybersecurity, 1,1M is lost to cybercrime.

The research found that every 60 seconds:
  • 1.5 organizations fell victim to ransomware attacks, with an average cost to businesses of 15K
  • A new site appeared running the CoinHive cryptocurrency mining script
  • Four potentially vulnerable web components were discovered
  • And a new phishing domain appears every five minutes
In an email to Infosecurity, security author Raef Meeuwisse said that cybercrime continues to be a profitable industry, and cyber-criminals continually evolve their tactics to remain one step ahead.

He said: “Cybercrime and cybersecurity co-exist in a constant cycle of innovation. As one particular criminal trend towards a particular technique increases, so the security functions create or strengthen the required defenses.

“However, it is evident at both the level of personal and organizational cybersecurity that spending is usually too low. In fact, most of these cyber-criminals are not going after the hard targets with great defenses, they are targeting the low hanging fruit – and there is still far too much of it.”

RiskIQ CEO Elias Manousos said: “Leveraging the latest research as well as our own global threat intelligence, we're defining the sheer scale of attacks that take place across the internet to help businesses better understand what they’re up against on the open web."

Link to the RiskIQ report and InfoGraphic:
Can You Be Spoofed? Find out for a Chance to Win an Embrava Blynclight

Are you aware that one of the first things hackers try is to see if they can spoof the email address of some C-level executive in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against unless your users are highly ‘security awareness’ trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. Plus, you'll be entered for a chance to win one of 10 Wireless Embrava Blynclights. (Stop those drive-by requests with this "busy light" for your desk.)

Hurry, offer ends August 31st!
Try to Spoof Me!
See Ridiculously Easy Security Awareness Training & Phishing in Action

Old-school awareness training does not hack it anymore. Your email filters have an average 10.5-15% failure rate; you need a strong human firewall as your last line of defense.

Join us for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • NEW Virtual Risk Officer shows you the Risk Score by employee, group, and your whole organization.
  • NEW Advanced Reporting on 60+ key awareness training indicators.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 20,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Thursday, September 6, at 2:00 p.m. (ET) for 30-minutes

Save My Spot!
Live Webinar: The Quantum Computing Break is Coming... Will You Be Ready?

Quantum computing is a game-changer and will have a huge impact on the way we do business, safeguard data, explore space, and even predict weather events. Yet, some experts say in the not so distant future, quantum computers will break existing public key cryptography forever.

On that digital day of reckoning, every stored secret protected by traditional public key crypto will be broken forever; including TLS, digital certificates, PKI, SSH, RSA, most wireless networks, VPNs, online financial transactions, and even bitcoin and blockchain. All of it made worthless in a second…

Join Roger Grimes, KnowBe4 Data-Driven Defense Evangelist, as he explores the way bad guys will be able to use more secrets against you than ever before, especially in increasingly sophisticated spear phishing attacks.

Attend this exclusive event to learn what you can do to prepare.
  • Why quantum computing is different than traditional binary computing
  • How close quantum computers are to breaking traditional public key cryptography
  • What defenses you can deploy after public key cryptography is broken
  • How to prepare your users - your last line of defense
The quantum computing break is coming. Will you be ready?

Date/Time: Wednesday, September 19, at 2:00 p.m. (ET)

Save My Spot!
New Podcast: "Hacking Humans", Covering Social Engineering

Each week the CyberWire’s Hacking Humans podcast looks behind the social engineering scams, phishing schemes, and criminal exploits that make headlines and take a heavy toll on organizations around the world.

They talk to social engineering experts, security pros, cognitive scientists, and those practiced in the arts of deception (perhaps even a magician or two).

We also hear from people targeted by social engineering attacks and learn from their experiences. This is a great podcast sponsored by KnowBe4, check out their episodes and subscribe today:
You're Invited to Participate in the Inaugural 2018 Security Awareness Training Deployment Trends and Usage Survey.

KnowBe4 is running its Inaugural 2018 Security Awareness Training Deployment Trends and Usage Survey. We’re polling IT and Security executives, admins and professionals like yourself on your firm’s experiences regarding key security issues such as training; security spending and how your organization is responding to still growing threats like phishing scams.

This is a multiple-choice survey with one Essay question. It should take you about 5 minutes to complete. ALL responses are confidential.

Anyone who completes the survey and includes their email address in the Essay question along with a comment is eligible to receive a complimentary copy of the Executive Summary and the accompanying PowerPoint presentation of the survey results.

The person who provides us with the best Essay comment will win a 100 dollar Amazon gift card. The results will be very interesting and will allow you to compare yourself with your peers.

Thanks in advance for participating in this survey! Here's the link:

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"You must be the change you want to see in the world." - Mahatma Gandhi

"A small group of thoughtful people could change the world. Indeed, it's the only thing that ever has."
- Margaret Mead

Thanks for reading CyberheistNews
Security News
Hackbusters - Where Can You Discuss All Things Social Engineering?

The KnowBe4 Hackbuster’s Forum is an online community dedicated to stopping the bad guys that use social engineering to hack your organization.

Our Hackbusters discussion forum is a moderated, spam-free forum primarily for KnowBe4 clients (but also inclusive of your peers interested in social engineering.)

HackBusters contains thousands of messages from KnowBe4 users and our staff. Forum members can post messages to the community or just read through existing threads and Q/A.

Topics: Phishing, Ransomware, Social Engineering, Security Awareness Training Best Practices, Scripting Tools and Other Topics.

We even have some fun by following the latest social engineering dramas on TV and in film. Our favorite is Mr. Robot. Rumor has it that we could see Mr. Robot season 4 in November! You're invited to join the discussion:
University Breach Exposes Nearly Half a Million Individuals' Information

Augusta University in the US state of Georgia has sustained a data breach. Its proximate cause was successful phishing of faculty and administrator emails in two incidents, one last September, and a smaller one last month.

Augusta University Medical is thought, by the best estimates, to have exposed health and other sensitive personal information of some 417,000 individuals. The people who are most at risk are thought to be patients at the Augusta University Medical Center (the teaching hospital for the Medical College of Georgia), the Children's Hospital of Georgia, and over eighty outpatient clinics distributed across the state.

According to the university, the information exposed includes "names, addresses, diagnoses, medications, lab results, dates of birth, treatment information, medical record numbers, medical information, surgical information, dates of service and insurance information." A smaller number of individuals may also have lost social security and driver's license numbers.

This is all bad enough, but these last two incidents aren't one-offs. Augusta University experienced two other significant breaches due to phishing over the last two years, one in 206, the other in April of 2017. It looks like a systemic problem, and it's certainly a user problem. Universities, like other organizations, cannot assume that their employees can reliably recognize phishing attempts.

They would benefit from regular, interactive training to raise awareness of phishing and other forms of social engineering.

One other note, not stressed in press coverage but that's worth making: phishing breeds phishing. When criminals have access to large quantities of personal information, they're able to craft the more plausible, more highly targeted attacks they're showing themselves capable of conducting. The Atlanta Journal-Constitution has the story:
Bad Passwords Make Phishing Easier

Mergers and acquisitions are notoriously risky periods in organizational life. This can be especially true when client or employee accounts, or both, from the acquired organization are migrated to the gaining organization's system. This recently happened when the large private tutoring broker SuperProf acquired UK-based Tutor Pages and moved the participating tutors' accounts over to its system.

SuperProf notified its newly acquired tutors that they had a new password associated with their email address that would enable them to access the service's dashboard. Unfortunately, the new credentials they were assigned could be very easily guessed. The passwords all consisted of the word "Super" followed by the user's first name.

To be sure these passwords are intended to be temporary, but with the attention cybercriminals pay to vulnerable periods like M&A activity they're by no means safe. It takes only a few minutes to guess and pwn even temporary credentials.

Organizations should consider tailored security training that will help them get through the challenges of mergers, acquisitions, re-branding, and reorganization. Interactive, new-school training can help here. Graham Cluley has the story:
Why Phishing Continues to Succeed and What To Do About it

Phishing continues to succeed because people overestimate their ability to recognize it and underestimate how closely targeted it's become. This, in essence is the conclusion that Diana Kelley, Microsoft's Cybersecurity Field CTO reached in a discussion with Tech Republic.

Phishing is an old threat, but it remains a major one. Kelley points out that it's evolved to become better crafted and more tightly targeted. She wouldn't even call it "spear phishing" any more. "Laserphishing" might, she thinks, be more descriptive and evocative.

She recommends that organizations consider the people-process-technology triangle when they think about increasing their resistance to phishing: educate your employees, put effective processes in place that helps them succeed, and use such technology as will block as many malicious emails as possible.

But remember that some phishing email will penetrate the technology, and so some concentration on the people will be vital.

The sophistication of phishing as it's now conducted is new-school, which should suggest that some new-school training is in order. Employees tend to think they'd never be so naïve as to fall for a phishing scam, but that's because they're unaware of how plausible and persuasive social engineering has become.

Sure, you may not fall for a poorly spelled email that tells you the widow of a Nigerian prince wants to share an inheritance with you, but you may be persuaded to open an invoice or follow a link that relates directly to your job and appears to come from a known customer, vendor, or partner.

This is where realistic, interactive, simulated phishing training pays off. The organization is going to be hit with sophisticated social engineering threats. You are legally required to mitigate this threat with equally sophisticated training. Tech Republic has the story:

And here is a whitepaper that explains the legal concept of having to scale reasonable, appropriate, or necessary measures to reflect the threat:
What the Chatbot Said

Malicious, compromised chatbots are turning up in social engineering campaigns. They're a useful labor-saving device in customer service applications, great for answering customers' simple questions or resolving uncomplicated issues, and doing so without hiring call center personnel.

Unfortunately, compromised chatbots have exploited and undermined the trust businesses have built up with their customers. Attackers have succeeded in spoofing company chatbots and using them to extract sensitive information from customers looking for assistance.

They've also been used to direct callers to malicious sites, where other information is extracted. Keeping software patched and up-to-date is of course important—it was older third-party chatbot code that contributed to the recent Ticketmaster breach in the UK.

But chatbot exploitation is an area in which organizations can help and educate their clients as well as their employees. Some recommendations to consider are instituting multi-factor authentication for customer interaction with chatbots, especially before any personal or payment information is exchanged.

Consider exploring some realistic, interactive training with employees. In this case it can help show where an organization's policies might be falling short. Flashpoint has the story:
What KnowBe4 Customers Say

"Hi Stu! Thanks for the email. Actually, we are LOVING KnowBe4. It was so easy to set up, minus one hiccup that was my fault setting up AD sync -- your tech was so great helping me out with that. Our users say the training so far (Kevin Mitnick 45-minute session) has been really great information, time well spent and actually fun.

We are almost complete with the first training, and I’ll be installing the Phishing Alert Button next. We are also using a weekly “scam alert” along with information I personally push along – like the info you sent out about O365/SharePoint scam. We have plans to start using the Policy Notification program soon as well.

Because of our clients, we have a lot of very strict Information Security Compliance issues. Your program has made it easy to roll out training for such a wide variety of timely topics without the pain of all the emails and nagging.

We have always been stretched thin in IT, and even more so with the recent growth of our company. Your program was exactly what we needed to give our company the added protection of the “human firewall”. I know I made a great choice by deciding to bring your program into our firm.

We are really HAPPY CAMPERS! Thank you!" - J.D., Information Technology Manager

"I have nothing but good things to say about KnowBe4. Hands down one of the best investments I’ve made in building our program. The level of innovation and thought are helping us reduce one of our biggest risk exposures.

I already did a full, glowing review on Gartner’s Peer Insights.

A huge thank you also to whoever got Twist & Shout added to the training catalog. I love their videos and plan to use them at first opportunity." - E.D., Senior Director InfoSec

PS, If you want to see KnowBe4 compared to other products in an objective, vetted platform that makes sure the reviews are fully legit, check Gartner Peer Insights:
The 10 Interesting News Items This Week
    1. Check Out the Top Cybersecurity Companies of 2018. Especially #11 :-)))

    2. The Untold Story of Notpetya, the Most Devastating Cyberattack in History:

    3. How Microsoft Tackles Russian Hackers—and Why It's Never Enough:

    4. Cybercrime isn't going away, but hacking prosecutions are falling:

    5. USB Harpoon Is a BadUSB Attack With a Twist. Kevin Mitnick was the inspiration:

    6. A+ for ingenuity, F+ for anyone who fell for it. Barclays phish claims cards explode:

    7. What It’s Like to Be a ‘Fancy Bear’ Target:

    8. Phone numbers were never meant as ID. now we’re all at risk:

    9. Universities Are Still Targeted With Phishing Attacks By Iranian Hackers:

    10. China is hacking the same countries it trades with:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews