CyberheistNews Vol 8 #38 [FBI ALERT]: "Cybercrime Uses Social Engineering Techniques to Steal Employee Credentials and Commit Payroll Diversion."

CyberheistNews Vol 8 #38
[FBI ALERT]: "Cybercrime Uses Social Engineering Techniques to Steal Employee Credentials and Commit Payroll Diversion."

I have some excellent ammo for you which very clearly shows the urgent need for security awareness training. I suggest you send this FBI PSA link below to your InfoSec budget holders.

The FBI warned September 18, 2018 about new criminal campaigns that target the online payroll accounts of employees in a variety of industries.


"Cybercriminals target employees through phishing emails designed to capture an employee’s login credentials. Once the cybercriminal has obtained an employee’s credentials, the credentials are used to access the employee’s payroll account in order to change their bank account information.

Rules are added by the cybercriminal to the employee’s account preventing the employee from receiving alerts regarding direct deposit changes. Direct deposits are then changed and redirected to an account controlled by the cybercriminal, which is often a prepaid card.


The FBI has 9 suggested mitigations for scams like this, starting with:
    1. Alert and educate your workforce about this scheme, including preventative strategies and appropriate reactive measures should a breach occur.

    2. Instruct employees to hover their cursor over hyperlinks included in emails they receive to view the actual URL. Ensure the URL is actually related to or associated with the company it purports to be from.
We could not agree more! Read the other 7 mitigation recommendations at the FBI's IC3 site and remember to send this link to your budget holders:
THURSDAY ANNOUNCEMENT: Brand New Tool You Should Check out Immediately

On Thursday September 27 we are releasing a new, complimentary tool that you really should run ASAP. When I saw the results for I was quite surprised. I'm sharing them with you in the PDF below. Schedule 10 minutes of your time this Thursday!

Introducing: Domain Doppelgänger which makes it easy for you to identify potential harmful domains and combines the search, discovery, reporting, risk indicators, and end-user assessment and training all in a single, no-charge, easy-to-use web-based tool.

With Domain Doppelgänger you can identify look-alike domains that can spoof your brand, product, or organization names and receive data-driven risk assessments you can use if you need to take action!

  • Identify existing and potential domains that can spoof your brand, product, or organization names
  • Discover what types of look-alike domains are available or have been registered
  • Find out whether these domains have active web or mail servers associated with them
  • Data-driven risk assessments you can use if you need to take action!
    • Look-alike domain assessments with risk indicators
    • User assessments show how vulnerable your users and understand your user's ability to identify “Safe” domains
Domain Doppelgänger helps you easily identify look-alike domains and presents different characteristics these domains may have such as active mail servers, active web servers, or private registrations.

Here are the results when we ran this on the KnowBe4 domain for the first time. It was a bit of a wake-up call. Gulp. Make sure to get yours this Thursday:
WSJ: "Forget Passwords. It’s Time for Passphrases."

Mr. Henry Williams is a deputy editor for The Wall Street Journal in New York, and he reported on something we just also recommended. Here is an excerpt with a link to the full article at the end. You should forward this to your C-suite:

"Two researchers say they have come up with a system that makes passphrases more secure and practical.

We all know the drill: When signing up at a website, you’re told to choose a password. It has to be at least a certain number of characters. It must contain letters and at least one number and perhaps at least one special character. Oh, but some special characters aren’t acceptable.

The death of complicated passwords—which are both hard to remember and not that secure—has been forecast for years, but reality hasn’t quite caught up yet. Now, however, two researchers have developed an idea for replacing passwords with more-secure passphrases that people will actually remember and use.

Kevin Juang, a former doctoral student at Clemson University, and his co-author and adviser, Joel Greenstein, have created a working prototype of an online system for websites and their registered users to replace passwords with randomly generated passphrases that in theory, in combination with other cues, will be much easier to remember and to enter accurately." Story continued at the KnowBe4 blog:

And while we are at this topic, here is a brand new column by Roger Grimes at CSO: "The best password advice right now. Short and crackable vs. long, complex and prone to reuse? The password debate rages on."
Why You Want to Grab the New RanSim Right Away: Cryptojacking

Bad guys are constantly trying to evade detection and come out with new strains of ransomware and now also cryptomining versions.

Cryptojacking—threat actors placing illicit cryptocurrency miners on your network—is a growing threat to enterprise IT according to a just-released report from the Cyber Threat Alliance (CTA). CTA members have seen cryptominer detections increase 459% from 2017 through 2018 and there's no sign that the rate of infection is slowing.

That’s why we’ve updated our Ransomware Simulation tool “RanSim” to include a new cryptomining scenario!

This new scenario simulates a Monero cryptocurrency-mining operation on the local machine. Monero mining is the most popular cryptocurrency mined by real-world malware and takes a lot of CPU and GPU cycles to process the data necessary to generate the currencies.

Try KnowBe4’s NEW Ransomware Simulator version and get a quick look at the effectiveness of your existing network protection against the latest threats. RanSim will simulate 13 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable to infection.

Here's how RanSim works:
  • 100% harmless simulation of real ransomware and cryptomining infection scenarios
  • Does not use any of your own files
  • Tests 14 different types of infection scenarios
  • Just download the install and run it
  • Results in a few minutes!
This is complementary and will take you 5 minutes max. RanSim may give you some insights about your endpoint security you never expected!

You want to do this right away, before your AV vendor makes the mistake to flag this executable and blocks it as a false positive.

Download Now:
See Ridiculously Easy Security Awareness Training and Phishing in Action

Old-school awareness training does not hack it anymore. Your email filters have an average 10.5-15% failure rate; you need a strong human firewall as your last line of defense.

Join us for a 30-minute live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • NEW Virtual Risk Officer shows you the Risk Score by employee, group, and your whole organization.
  • NEW Advanced Reporting on 60+ key awareness training indicators.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 20,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, October 3, 2018, at 2:00 p.m. (ET) Save My Spot!
WSJ: "Social Engineering, Just a Call Away."

Another highly relevant story in the Wall Street Journal.

"An email arrives, and you think it’s from your boss. Because it has your boss’s name on it, there's a huge psychological response, and you tend do what is requested. After a cordial exchange comes the real request, five magic words, “can you help me out.” Suddenly, you're transferring assets, never to be seen again.

Social engineering is getting people to do things they would ordinarily not do. It has replaced malicious software as hackers' weapon of choice. In addition to phishing emails, some hackers have taken to the phone, making calls to impersonate a colleague, usually one in the need of help.

Kathryn Sherman, a supervisory special agent with the FBI noted that social engineering is the easiest tool in a hacker’s arsenal. Most information for the spoof is available for no charge, online. Less technical hackers are using their manipulative skills to get information that is used to defraud.

Social engineering is used to initiate a third of all cyberattacks. This is up from nineteen percent five years ago." Continued at the KnowBe4 blog, including links:
Last Chance: Try Weak Password Test for a Chance to Win a Nintendo Switch

Are your users’ passwords…P@ssw0rd? Verizon's Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords.

Employees are the weakest link in your network security. KnowBe4's Weak Password Test checks your Active Directory for 10 different types of weak password related threats and reports any fails so that you can take action. Plus you’ll be entered to win a Nintendo Switch!

This will take you 5 minutes and may give you some insights you never expected. Hurry offer ends September 30th!

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"The saddest aspect of life right now is that science gathers knowledge faster than society gathers wisdom." - Isaac Asimov

"Never let your sense of morals prevent you from doing what is right." - Isaac Asimov

Thanks for reading CyberheistNews
Security News
Workers in Europe, the Middle East, and Africa Exhibit Security Fatigue

Employees across Europe, the Middle East, and Africa (EMEA) have the worst cybersecurity discipline in the world, according to a study by Aruba, a Hewlett Packard Enterprise Company. The survey found that 56 percent of employees in these regions don’t think about cybersecurity on a regular basis, and 36 percent believe security is someone else’s problem.

The study also found that workers in EMEA are generally more aware of security risks and consequences than people in the Americas and Asia, but still take less actions to mitigate those risks.

Morten Illum, VP EMEA at Aruba, says this discrepancy may be a result of security fatigue as workers are overwhelmed by the amount of advice and directives they receive. “Employees in EMEA have been inundated with security messaging through their organizations, as well as the media,” he says.

“Clearly giving further warnings and adding procedures isn’t having the desired effect.” Illum recommends that companies invest in more advanced security technologies that will keep organizations safe regardless of employee behavior.

While security software systems are critical in protecting an organization, perfect technical solutions don’t exist and probably never will. Attackers will always find ways to exploit employees' good nature, inattention, or simple fatigue. New-school security awareness training can help employees form good cybersecurity practices so that security discipline becomes a habit rather than a nuisance. AMEInfo has the story:
When Does Effective Persuasion Become Manipulation?

There’s a fine but clear line between ethical and unethical persuasion, says Joe Gray, a security consultant from the “Advanced Persistent Security” blog and podcast. Gray recently appeared on the CyberWire’s Hacking Humans podcast to discuss the distinction between influence and manipulation.

Influence, he says, is the practice using fair and honest persuasive tactics to guide someone to a mutually beneficial conclusion through their own free will. Manipulation, on the other hand, uses dishonest, underhanded methods to exploit someone for the advantage of the manipulator.

“I look at it from the perspective of, are they doing this ethically? Are they just trying to hit the high notes and do what they're supposed to do? Or are they going underhanded to try to manipulate? Because I see a distinct difference between influence and manipulation, manipulation being a little bit more on the malicious side, influence being more of the idea of, I'm going to give you this information and have you form the opinion of your own cognition.”

According to Gray, both ethical and unethical persuaders rely heavily on Robert Cialdini’s six principles of persuasion to accomplish their goals. For example, when he wants to establish his credibility, Gray will say he is operating under the authority of some leader in the organization. This is a psychological tactic meant to improve his standing in the mind of the targeted individual and can be used either harmlessly or deceitfully.

When asked what people can do to recognize when someone is trying to manipulate them, Gray replied: “Be cognizant of what people are asking, even if they're not truly asking. It may be something to build a rapport. I'm not saying go off and be rude to people because that does no one any good. But just be cautious about it.

Like, from the perspective of emails, if you get an email that just seems too good to be true or it's unsolicited, it's out of context, it's not the right timing, misspelled words or something, forward it to your information security team or actually reach out to your information security team.”

A large portion of human interaction is persuasion in some form or another. Interactive awareness training can help people resist malicious influence by teaching them to detect when persuasion turns into manipulation. Hacking Humans has the story:
Account Takeover Attacks Ramping up, Leading to Explosion of Phishing

ATO attacks steal a person's credentials and use them to send emails from their account, according to a recent Barracuda Networks report.

Account takeover attacks (ATO), in which a person's credentials are stolen and used to send emails from their real account, often result in phishing attacks being sent from the victim's account, according to a Barracuda Networks report, released Thursday. Out of the 60 total ATO incident recorded, 78% led to phishing emails, said the report.

Barracuda randomly selected 50 organizations to study from April to June 2018. The goal of the study was to analyze ATO attacks, which are much less likely to be blocked by security systems that filter for domain, sender, or IP reputation, said the report.

Phishing attacks are typically used to infect additional email accounts, the report said. Oftentimes these attacks appear as messages from a real user asking the recipient to click on a link. Not only did the study unveil a large number of phishing attack attempts, but hackers also used the stolen credentials to deploy spam campaigns.

Barracuda's two takeaways for tech leaders:
  • Account takeover attacks (ATO) are on the rise, and most (78%) result in phishing attacks within companies.
  • 22% of ATO incidents target sensitive departments, meaning businesses must stay updated on cybersecurity efforts.
Full article at TechRepublic:
What KnowBe4 Customers Say

"So far so good. Everyone is REALLY liking this new platform. The training is going really well. The emails are also awesome too! At our previous vendor we didn’t have an account manager that helped us set up the system, so your process made it much easier and better to get going. Not to mention the content is better.

I have to say we are very impressed so far and are very happy with our decision to switch vendors. I know we will get a lot more out of your platform! Thanks for the follow up!
- M.S., System Administrator

"Hi Stu, Thanks for checking! I am very pleased with the results and the service. We went from a 72.4% failure rate before training down to 5.6% after...that's amazing! The training definitely works."
- O.S., Instructional Director

PS, If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
The 10 Interesting News Items This Week
    1. Phishing Is the Internet’s Most Successful Con:

    2. Bristol Airport blames ransomware attack for taking departure boards offline for two days:

    3. Unpatched systems at big companies continue to fall to WannaMine worm:

    4. The best password advice right now. Short and crackable vs. long, complex and prone to reuse? The password debate rages on:

    5. Europol: Ransomware Will be Top Threat for Years:

    6. Wyden warns foreign gov’t cyberattacks aimed at personal accounts of senators, aides:

    7. ICO issues its first GDPR fine:

    8. SMBs Fear Phishing, Fall Short on Cyber Training:

    9. DMARC Policies for Make Spoofing Emails Easier:

    10. Evolution of the Cybercrime-as-a-Service Epidemic:

    11. BONUS: Hacker gets a whopping 14 years in prison for running Scan4You service:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • A Classic From the archives! Cool video made by an astrophysicist shows a woman relaxing on the grass - before zooming out to show the universe one billion light years away. This video will change your perspective on life:

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Anti-Phishing Guide ebook

Get the latest about social engineering

Subscribe to CyberheistNews