CyberheistNews Vol 8 #36 Finally, KnowBe4 Was Spoofed by Bad Guys. Expected That for Years.

CyberheistNews Vol 8 #36
Finally, KnowBe4 Was Spoofed by Bad Guys. Expected That for Years.

When you become the worldwide No.1 player in your field with tens of thousands of organizations using your platform, you get on people's radar. Both the good guys and the bad apples.

The bad guys see a target they can exploit, so for the last few years I've been waiting for a criminal spoof of KnowBe4, wondering why it was taking them so long, but finally it's here.

They are targeting you, the IT Pro with the keys to the kingdom

The text of this credentials harvesting phishing email has obvious errors and problems. It makes a half-hearted attempt to talk to both the end-user and the system admin, but ultimately it is a social engineering attack on the person with domain admin rights.

An IT pro who is very distracted by the 16 fires they are putting out, might just initially get tricked by this one if they forget to hover over the link.

However, after clicking the button, when you wind up at this spoofed Microsoft login page you for sure know that something is amiss! Nice try Mr. Bad Guy, but no cigar.

This is a fairly transparent attack that would not fool anyone who has stepped through our new-school security awareness training program.

If the attacker knew who KnowBe4 customers were, they could target them specifically, but like any InfoSec company we never disclose those. Your security is the No. 1 thing we keep in mind with everything we do.

For as far as we can see, KnowBe4 is the only simulated phishing and awareness training platform that is SOC2 Type 2 certified. We believe they all should be. KnowBe4 also recently implemented a bug bounty program.

I recommend you have a look at our page dedicated to your security.

It starts out with: "We here at KnowBe4 would like to make a few things clear with respect to security. First, we respect your privacy and take significant efforts to protect all your data. Second, we would never do anything with your data that we wouldn’t want you to do with ours. Third, we are a security company built and operated by highly security-minded individuals.

Keeping our customers' data secure is the most important thing KnowBe4 does. We go to considerable lengths to ensure that all data provided to KnowBe4 is done so securely - keeping KnowBe4 systems and your data secure is fundamental to our business." Please read this page to see what we do to keep your data secure:

When you rise to the top, a few bad hats will try to tear you down. As we all know, the price of freedom is eternal vigilance and a willingness to act in its defense. So, we consider attacks like this as a badge of honor, and they only inspire us to keep expanding and give you fantastic service.

Blog post with links and screen shots here:
Advanced Malware Targets the Telecom Sector and Bypasses Antivirus

The telecommunication service industry is experiencing more advanced malware threats than any other industry group. Researchers at Lastline discovered that ninety percent of malware samples submitted by their customers in the telecom industry had not previously been submitted to VirusTotal.

The global average is sixty-five percent. Additionally, one in ten of these samples exhibited advanced capabilities, compared to the global average of one in twelve.

The researchers believe that the deviation may be a result of the sector’s defenses being more effective, forcing attackers to use innovative methods to be successful. Consequently, the industry is faced with constantly evolving attack campaigns that are explicitly designed to avoid detection by updated systems.

Interestingly, all the malware samples analyzed by Lastline were delivered using just fifteen file types, while the global average is forty. In most cases, the malware appears as a Rich Text Format (RTF) document, although archive file types are also popular. These file types are email-related, as email is the primary vector of compromise in the sector.

This discovery highlights the importance of the end-user as your last line of defense. Even the best antivirus would fail to detect the vast majority of these threats. Earlier this year, Symantec more or less admitted that antivirus is dead.

Your employees need new-school, real-world, interactive security awareness training to prevent this advanced malware from gaining access in the first place. blog post with links:
Here Is a Way to Get Audits Done in Half the Time and Half the Cost

Join us for a 30-minute live product demonstration of KnowBe4's Compliance Manager to see how you can simplify the complexity of getting compliant and ease your burden of staying compliant year-round.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Ability to build your own templates using our simple custom template feature.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Finally, an affordable and easy-to-use compliance management tool.

Save Your Spot! Choose the best date and time for you:

Wednesday, September 12th at 1:00 PM (ET)

Thursday, September 13th at 11:00 AM (ET)
Size Still Doesn’t Matter Especially When it Comes to CEO Fraud

Lloyds Bank says that Business Email Compromise (BEC)—also known as CEO fraud—rose by 58% in the UK over the past year. While BEC is often associated by the media with large firms, Lloyds’ results show the contrary: about half-a-million small and medium enterprises were victims.

These smaller organizations lost an average of £27,000 each time they were hit with an impersonation scam. The organizations most affected were, in order, law firms, human resources departments, IT workers, and financial firms.

Lloyds thinks the actual rate of attack may be higher than what they reported. Their study is of course based on the self-reporting of victims, and Lloyds believes that as many as one in twenty victims conceals their mistake to avoid embarrassment in front of colleagues.

The scammers almost half the time represent themselves as the CEO or the equivalent of the organization, but that impersonation has been overtaken by fraudsters pretending to be suppliers. Some 52% of the scams represented themselves as requests from vendors.

We've mentioned before that small and medium businesses are attractive targets for fraud. This survey, while confined to British organizations, is consistent with what other recent studies by Barracuda, Proofpoint, and the FBI have found elsewhere.

It’s also more evidence that there’s no safety in hiding in plain sight. No organization is too small to be worth some criminal’s time and attention. None is too big for some criminal to take on. And no organization is too small or too large to benefit from tailored, interactive security awareness training. Infosecurity Magazine has the story:
Live Webinar: The Quantum Computing Break Is Coming... Will You Be Ready?

Quantum computing is a game-changer and will have a huge impact on the way we do business, safeguard data, explore space, and even predict weather events.

Yet, some experts say in the not so distant future quantum computers will break existing public key cryptography forever.

On that digital day of reckoning, every stored secret protected by traditional public key crypto will be broken forever; including TLS, digital certificates, PKI, SSH, RSA, most wireless networks, VPNs, online financial transactions, and even bitcoin and blockchain. All of it made worthless in a second…

Join Roger Grimes, KnowBe4 Data-Driven Defense Evangelist, as he explores the way bad guys will be able to use more secrets against you than ever before, especially in increasingly sophisticated spear-phishing attacks.

Attend this exclusive event to learn what you can do to prepare.
  • Why quantum computing is different than traditional binary computing
  • How close quantum computers are to breaking traditional public key cryptography
  • What defenses you can deploy after public key cryptography is broken
  • How to prepare your users - your best, last line of defense
The quantum computing break is coming. Will you be ready?

Date/Time: Wednesday, September 19th at 2:00 PM (ET)
Save My Spot!
Try This Weak Password Test for a Chance to Win a Nintendo Switch

Are your users’ passwords…P@ssw0rd? Verizon's Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords. Employees are the weakest link in your network security.

KnowBe4's no-charge Weak Password Test checks your Active Directory for 10 different types of weak password related threats and reports any fails so that you can take action. Plus you’ll be entered to win a Nintendo Switch!

This will take you 5 minutes and may give you some insights you never expected.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: You're invited to participate in The Inaugural 2018 Security Awareness Training Deployment Trends and Usage Survey! Should take 5 minutes, the link is here:
Quotes of the Week
"Life is really simple, but we insist on making it complicated." - Confucius, Philosopher

"In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing you can do is nothing." - Theodore Roosevelt, U.S. President

Thanks for reading CyberheistNews
Security News
GDPR and the Dog That Didn't Bark?

The enforcement of GDPR has had no immediate effect on global levels of spam, despite previous warnings that the regulations would cause a spike in undetected phishing domains.

Researchers at Recorded Future found that, on May 1, the total number of emails sent was 433 billion, 85 percent of which was spam. On August 1, more than two months after GDPR was implemented, the percentage of spam remained the same at 85 percent.

The GDPR, which went into effect on May 25, prohibits WHOIS from publishing identifiable information about domain registrants. Some experts warned that this would make it much more difficult for security researchers and anti-spam technologies to identify domains associated with spam.

Others have disputed the importance of WHOIS data, citing the fact that criminals almost always use fake information to register their domains. Consequently, when a malicious domain is identified or taken down, the owner will simply register a new domain under a different name.

The research from Recorded Future appears to support the latter theory. While spam continues to constitute the vast majority of emails, the loss of publicly available WHOIS data has not spurred an increase. Thus the situation remains as it was, and interactive, new-school security awareness training is still a solid bet to help employees recognize threats before they let them in. The Register has the story:
Vigilance Isn't Insubordination

Using email accounts of high-level business executives is on the rise, and organizations stay safer if they trust, but verify. This is a lesson we see as we take another look back at Verizon's data breach report. Verizon looked at more than 55,000 data breach attempts in 65 countries and found, among other things, that CEO impersonation is trending.

Finance and HR are generally the landing points of choice for these frauds. The scammer asks for wire transfers of cash from the finance people, and the HR workers are asked to hand over confidential employee information.

Of course there is, as in most email CEO scams, a great of urgency to carry out the electronic directive.

Verizon report notes that these scams are lucrative, resulting in “numerous six figure losses.” The number of pretexting scams has tripled to reach 180 in 2018. The best way to avoid falling victim to these schemes is to develop policies that preclude them, such as never requesting wire transfers by email, and by training employees in both the policies and the probably threats.

A little healthy skepticism goes a long way, and the C-suite should be reminded to treat such employee caution as a good thing, and not insubordination. Make sure this is part of your security culture.

Business Insider has the story:
LinkedIn as a Recruiting Tool for Spies

US Counter-Intelligence Chief William Evanina said Chinese agencies are using fake LinkedIn accounts to run a large recruitment campaign for spies within the United States.

While he did not say how many of these accounts had been discovered, Evanina confirmed that the campaign involved contacting thousands of LinkedIn users at once. Noting that Twitter recently shut down millions of fake accounts, he suggested that LinkedIn follow Twitter’s example.

Germany and the UK have previously issued warnings about Chinese espionage actors on LinkedIn, but this is the first time a US authority has publicly acknowledged the problem.

One current espionage case is generally regarded as one in which Chinese intelligence services recruited an agent via LinkedIn, so the warning isn't purely theoretical. In June, former CIA officer Kevin Mallory was convicted of conspiring to commit espionage for China.

Mallory had received a LinkedIn message in early 2017 from someone in China who claimed to be a headhunter. This individual put Mallory in contact with Chinese intelligence officers, and Mallory agreed to sell them US defense secrets. Mallory will be charged in September and could face a life sentence.

In addition to Mallory, four other US officials have been charged with spying for China in the past two and a half years. Evanina said more cases are under investigation, but did not give details.

Joshua Skule, the FBI’s Executive Assistant Director for Intelligence, said that 70 percent of Chinese espionage in the US is targeted at the private sector. Many of the targeted individuals are experts in high technology fields, including supercomputing, nanotechnology, nuclear energy, and defense technology.

Chinese espionage actors often use bribes or fake business propositions to draw their targets in. Employees should always be wary of unsolicited contact, even if the interaction seems normal. Reuters has the story:
Vigilance, Passcodes, and PINs the Best Defense Against SIM Swaps

Attackers are using SIM swaps to take advantage of SMS-based verification. A recent string of Instagram takeovers, a crypto currency scam costing an investor over $23 million in tokens, and reports of hijackers stealing thousands of dollars from personal checking accounts are all attributed to SIM swapping.

SIM swaps are a type of fraud where hackers steal your mobile identity by switching out your smartphone’s SIM card. In its most basic form, a hacker uses social engineering to manipulate a mobile carrier service rep to switch your phone number to a SIM card the hacker owns. Once this is done, scammers can divert incoming messages and easily break through your two-factor authentication.

Allison Nixon, a threat researcher at Flashpoint, says if a SIM hijacker targets you and has the skills to accomplish the task, there is little you can do to stop them. Proper security protocols on your part will not necessarily prevent your mobile carrier from being fooled.

Flashpoint found some instances where SIM hijackers were able to enlist the help of mobile store employees to gain access to protected accounts. To fix the SIM swap dilemma, the role of telephone numbers as a means of identification needs to change.

Until app developers decide on a universal identifier besides the mobile phone number, we must all do our part to make sure our accounts are secure. Mobile carriers offer instructions on how to add PIN numbers and passcodes to mobile accounts, which adds an extra layer of protection. It’s also wise to use an authentication app instead of text message verification, wherever possible.

If your organization has a BYOD (Bring Your Own Device) policy, it’s worth investing in new-school security awareness training that will help employees understand how to protect themselves and the company’s network from SIM swaps. WIRED has the story:
What KnowBe4 Customers Say

"Brittany Campos and Sari Graham have done a phenomenal job assisting with getting things up/running. I love the KnowBe4 service, UI, content, and additional settings that I have been able to customize to meet our organizational needs.

As Brittany and Sari can tell you, our initial baseline test was an eye-opener, netting just about everyone in the organization with a customized phishing email regarding new General Manager applicants from our HR Director.

Remediation and additional training followed to help build up cyber awareness defenses in our staff. All in all… super product and I’m certainly a “happy camper.” - K.J., Information Technology Supervisor

"Hi Stu, I have been using the service for a couple of months now and I find it very well designed and intuitive. No complaints and I am recommending it to people around me. Best," T.C., CTO

PS, If you want to see KnowBe4 compared to other products in an objective, vetted platform that makes sure the reviews are fully legit, check Gartner Peer Insights:
The 10 Interesting News Items This Week
    1. USA Is the Top Country for Hosting Malicious Domains According to Report:

    2. Feds Charge a Russian With Hack of 80 Million JP Morgan Customers:

    3. British Airways hacked, attackers stole details of 380,000 customers:

    4. U.S. Charges North Korean Over Lazarus Group Hacks:

    5. TensorFlow Tutorial For Beginners. I recommend you watch the video!

    6. Bruce Schneier: "For safety’s sake, we must slow innovation in internet-connected things":

    7. Here’s how hackers can install malware on your Mac through Safari:

    8. Lance Spitzner’s thoughts from the last SANS Awareness Summit. Good read!

    9. Phishing for political secrets: Hackers take aim at midterm campaigns:

    10. Defense Department pledges billions toward artificial intelligence research:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews