CyberheistNews Vol 8 #43 [INFOGRAPHIC] KnowBe4 Top-Clicked Phishing Email Subjects This Third Quarter

CyberheistNews Vol 8 #43
[INFOGRAPHIC] KnowBe4 Top-Clicked Phishing Email Subjects This Third Quarter

The latest results of KnowBe4's quarterly top-clicked phishing email subjects are now available. We report on three different categories: general emails, social media related subjects, and 'in the wild' attacks - those subjects come from the millions of users that click on our Phish Alert Button on real phishing emails and allow our team to analyze the results.

Make Your Users Think Before They Click!

Sharing these specific subject lines with users lets them know what is currently working for the bad guys and what they should be watching out for. In many cases the top subjects are repeated quarter over quarter, so looking not just at the subjects but also reasons why so many people clicked can help them to stay vigilant and Think Before They Click.

Security-themed Messages Continue to Bypass Security Defenses

“Hackers are leveraging an individual’s desire to remain safe or well informed by playing into his/her mind,” said Perry Carpenter, chief evangelist and strategy officer, KnowBe4. “They do this by making someone believe they are at risk or that something needs immediate attention.

These types of attacks are effective because they cause a person to simply react before thinking logically about the legitimacy of the email. Managing the ongoing problem of social engineering is becoming more and more difficult as hackers play into human emotions by causing feelings of alarm or curiosity.”

Download the InfoGraphic with Top Phishing Messages This Quarter here and send it to your users as a good summary of National Cyber Security Awareness Month:

Your Resource Kit for National Cybersecurity Awareness Month and Beyond

National Cybersecurity Awareness Month is a great time to educate yourself and your users. And then make sure you keep it up year-round. Not sure where to start? We've got you covered! We'll send you a set of resources that you can use to help your users make smarter security decisions every day.

Here is what you'll get:
  • Resources to share with your users including infographics, awareness posters and helpful tip sheets
  • Access to multiple resources for you including some of our most popular on-demand webinars, whitepapers and guides
  • Printable assets that you can use to promote cybersecurity awareness in your organization
  • Free interactive training module for your users on "Risks of Social Media Sharing" (Limited Time)
Send Me My Kit!

NEW Webinar: How to Make Your Cybersecurity Awareness Program Stick Year-Round:

National Cybersecurity Awareness Month (NCSAM) is almost over, and hopefully, you've had some great events and success stories. But no matter how good it has been, a 'once-and-done' event will never create sustainable behavior change in your organization. Don't fall victim to the tendency to put all your energy, budget, and hopes into NCSAM.

KnowBe4's Chief Evangelist and Strategy officer, Perry Carpenter, shares practical strategies for creating awareness programs that work year-round. On-demand now!
KnowBe4 Partners With WSJ and ESI Thought Labs in Cyber Security Study

This year, KnowBe4 partnered with the WSJ and ESI Thought Labs to evaluate trends in the frequency and impact of cybersecurity incidents.

ESI Thought Lab surveyed 1,300 organizations with revenues ranging from under 1 billion to over U.S. 50 billion, across multiple industries spanning APAC, Europe, US/Canada and Latin America.

The 2018 Cybersecurity Imperatives Study highlights changes in security spending, sources of cyberattacks, as well as action plans and employee training practices that organizations have implemented in order to mitigate breaches. Cyberthreats affect organizations of all sizes; as cybersecurity incidents remain prevalent in today’s news, companies are investing more money and time into their security systems.

Most executives around the world see untrained staff as the greatest cyber risk

The majority of executives (87%) around the world cite untrained staff as the greatest cyber risk to their business. Compounding this finding is the fact that staff training is ranked among the categories to have made the least progress when measured against the NIST cybersecurity framework.

Anthony Dagostino, global head of cyber risk, Willis Towers Watson said: "Leaders in cybersecurity are devoting significant resources towards protecting IT and risk functions within their organizations against external threats, but employee processes and training as well as corporate culture play a more integral role than many realize.”

As the report highlights, “The vast majority of cyber incidents result from employee behavior and human error,” Dagostino says: “In addition to mitigating cyber threats through technology and risk transfer, cyber managers need to take a step back and assess their organizations cyber defenses within. Cyber managers must adopt a continuous assessment strategy, one that focuses on the overall culture of engagement, talent preparedness and the role of technology and risk transfer.”

Other Key Findings:
    • Security budgets continue to rise. Fifty-nine percent of organizations said their security budget had increased in the past year, and the average annual budget for IT security is $15 million.

    • Enterprises are hit much harder by cybersecurity events, experiencing an average of 196 events per year, compared to SMBs who experience 24 on average.

    • Three-quarters of cybersecurity attacks stem from outside sources, and hackers prove to be the greatest cyberthreat as they result in 27% of overall attacks.
    • 78% of enterprises have a formal incident response plan in place, compared to only 53% of SMBs. Overall, 44% of organizations test that plan at least once per year.

    • Ninety-five percent of organizations provide security awareness training to their employees at least once per year. When asked who was in the most need for security awareness training, 55% of security decision-makers reported that their C-level executives were.
Here is the link to the WSJ Pro Cybersecurity landing page:

Additionally, here is the link to the ESI ThoughtLab landing page:
See Ridiculously Easy Security Awareness Training and Phishing in Action!

Old-school awareness training does not hack it anymore. Your email filters have an average 10.5 - 15% failure rate; you need a strong human firewall as your last line of defense.

Join us for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • NEW Virtual Risk Officer shows you the Risk Score by employee, group, and your whole organization.
  • NEW Advanced Reporting on 60+ key awareness training indicators.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 21,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, November 7, 2018 at 2:00 p.m. (ET)
Save My Spot!
LAST CHANCE: Find out If Your Domain Has an Evil Twin and Enter for a Chance to Win Beats Headphones

Since look-alike domains are a dangerous vector for phishing and other social engineering attacks, it’s a top priority that you monitor for potentially harmful domains that can spoof your domain.

Our NEW Domain Doppelgänger tool makes it easy for you to identify your potential “evil domain twins” so you can take action now. Plus, you'll be entered to win two pairs of Beats Solo3 Wireless Headphones*, one for you and one for your doppelgänger.

With Domain Doppelgänger, you can:
  • Search for existing and potential look-alike domains
  • Get a summary report that identifies the highest to lowest risk attack potentials
  • Generate a real-world “domain safety” quiz based on the results for your end users
This is a complimentary tool and will take you only a few minutes. Domain Doppelgänger helps you find the threat before it is used against you.

Hurry Offer ends October 31st. Find My Look-Alike Domains!
[Unique Live Webinar with Kevin Mitnick] The Pesky Password Problem: How Hackers and Defenders Battle for Your Network Control

What really makes a “strong” password? And why are your end-users tortured with them in the first place? How do hackers crack your passwords with ease? And what can/should you do about your authentication methods?

For decades, end-users have borne the brunt of the password tyranny, a result of the IT industries’ inability to engineer secure systems. Password complexity, length, and rotation requirements are the bane of your end-user experience, helpdesk and literally the cause of thousands of data breaches.

In a recent quest to improve, NIST (the National Institute for Standards and Technology) has been looking at the problem from several angles and updated their guidance related to authentication systems and password composition. The resultant advice and implications were shocking for some and a relief to others.

In this unique webinar, you will learn about the recent NIST controversy and related password cracking problems. The “combatants” will be on the one side KnowBe4's Chief Hacking Officer, Kevin Mitnick with decades of first-hand “red-side” penetration testing experience, and on the other side, Roger Grimes, KnowBe4's Data-Driven Defense Evangelist with decades of experience on the blue team. The referee will be Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer.

They will provide an in-the-trenches view of authentication hacking, so that you get some insights about the truth of the effectiveness of passwords, various password management guidelines, and even stronger authentication systems using multiple factors.

Date/Time: Wednesday, November 14, 2018 at 1:00 (ET)
Save My Spot!

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"The adage is true that the security systems have to win every time, the attacker only has to win once." - Dustin Dykes

"You could spend a fortune purchasing technology and services, and your network infrastructure could still remain vulnerable to old-fashioned manipulation." - Kevin Mitnick

Thanks for reading CyberheistNews
Security News
C-Suite Employees Are Increasingly Targeted by Social Engineering Attacks

Spear phishing campaigns aimed at high-level employees are on the rise, according to the Better Business Bureau (BBB). CEO impersonation scams and business email compromise attacks are also growing in popularity, as more and more attackers realize the value in targeting individuals with the highest level of access within organizations.

These attacks are particularly difficult to defend against because they rely primarily on advanced social engineering techniques to trick their victims. Phishing campaigns targeted at executives, also known as “whaling,” attempt to steal sensitive information about an organization or its employees.

Since they focus on specific, high-profile individuals, whaling attacks use extremely convincing, carefully crafted templates that incorporate details relevant to their victims. “We believe there has been a recent uptick in whaling scams aimed at businesses, and we want to warn companies to alert their employees about this potential fraud,” says Katherine Hutt, BBB national spokesperson.

CEO fraud scams, aka business email compromise, take place when an attacker poses as the CEO to fool employees into wiring money to an account owned by the attacker. These attacks often involve a lengthy reconnaissance period during which the attacker gathers details about the organization, its employees, and the CEO.

A report released by Mimecast in August showed an 80 percent increase in these attacks in the third quarter of 2018. “Targeted malware, heavily socially engineered impersonation attacks, and phishing threats are still reaching employee inboxes. This leaves organizations at risk of a data breach and financial loss,” says Matthew Gardiner, a cybersecurity strategist at Mimecast.

“Our latest quarterly analysis saw a continued attacker focus on impersonation attacks quarter on quarter. These are difficult attacks to identify without specialized security capabilities, and this testing shows that commonly used systems aren’t doing a good job catching them.”

The BBB gives the following recommendations to prevent whaling attacks:
  • Be wary of short, generic messages. Phishing emails are usually brief to avoid arousing suspicion.
  • Double check before clicking on links or downloading files, even if they look legitimate.
  • Never send sensitive information in an email, regardless of who is asking for it.
  • Be wary of emails to groups, especially if they purport to come from the CEO. Attackers can use employee email lists to target the entire organization at once.
  • Ensure that your organization has proper procedures in place for handling sensitive information or payments. For example, CEO impersonation scams can be prevented by requiring multiple employees to authenticate large transactions.
Employees at every level of an organization can benefit from new-school security awareness training to defend against these scams. CEOs need to be able to recognize sophisticated phishing attempts, while lower-level employees must be made aware of the tricks that attackers can use to manipulate them. BizTech has the story:
How Criminals Will Use the Facebook Breach

In September Facebook released news that the data of approximately 30 million accounts had been compromised. Originally thought to be the work of nation state actors, the breach, according to the Wall Street Journal, was carried out by spammers.

It's a disturbing incident, but what might the criminals actually do with the stolen data? 15-million Facebook users' names, phone numbers and email addresses were stolen. Another 14 million had their names, date of birth, gender, devices used on Facebook and language settings compromised.

Hackers found relationship status, religion, hometown, current city, occupation and education information as well. The depth of information revealed depended on how much information people had added to their profile. Information about recent check-ins and tags along with their fifteen most recent Facebook searches was also taken.

All those apparently benign surveys asking about your first car, favorite teacher, your favorite movie or ice cream flavor? They're all potential sources of answers to security questions. This is where cyber criminals cash in on your sharing and monetize all that information.

Jerome Segura, lead malware intelligence analyst at Malwarebytes noted that Facebook data are distinctive because users supplied those data. It illustrates their interests and preferences. It's a priceless database trove for scammers and shady marketers.

The potential that scammers are behind the attack illustrates how lucrative breaching a "centralized data storage repository" can be. Profile information can be used to make phishing scams more convincing. The data can be used to lure victims into clicking on malicious ads in malvertising campaigns.

Data so rich can be used to target business email accounts in BEC schemes. Tom Kelly, CEO of ID Experts, said "Facebook is the new stolen credit card in terms of the data and value it provides criminals." Kelly continued "many people do not realize the effect the recent Facebook breach has had on their risk for identity theft or know how to protect themselves."

The breach has the potential to drive scams for years to come. Accurate and extensive data of this kind can last a lifetime, similar to healthcare records. When there's a breach of paycard information, the solution is simple: cancel the card, get a new one, and change the PIN.

But Facebook information describes who the user is, and that's not easily changed, if it can be changed at all. Facebook, which says it will not provide the free identity theft protection commonly offered following a massive data exposure, will see long-term effects.

Those impacted by the breach need to be vigilant, monitoring both financial and social media accounts for suspicious activity. Messages that create a sense of urgency or receiving unexpected links should be viewed with caution.

The breach isn't just a problem for individuals. It's a problem for organizations and their employees as well. When lost information makes social engineering more plausible, employees need to be especially on their guard. Tailored, interactive security awareness training can help them attain the kind of wariness they need to better protect themselves and their organization. WIRED has the story:
Hacking Humans—A New Cyberwire Podcast Covering Social Engineering

“I find your podcast very informative and have used your information to better train my employees… [I] subscribe to both the Cyberwire and Hacking Humans and they are at the top of my priority list…. I have had several employee meetings to discuss potential phishing and malicious attachments using examples derived from your show. We have the additional burden HIPAA regulation so I can never be too paranoid.” Here is where to find the "Stu's Warmly Recommended" Hacking Humans podcast!:
How Do You Fight the $12B CEO Fraud Problem? One Scammer at a Time

The fraudsters behind the often-laughable Nigerian prince email scams have long since branched out into far more serious and lucrative forms of fraud, including account takeovers, phishing, dating scams, and malware deployment. Combating such a multifarious menace can seem daunting, but in truth it calls for concerted efforts to tackle the problem from many different angles. This post examines the work of a large, private group of volunteers dedicated to doing just that. Story at KrebsOnSecurity:
Bad Guys Use Stolen NSA Hacking Tools to Pwn Boxes in Nuke, Aerospace Worlds

Miscreants are using a trio of NSA hacking tools, leaked last year by the Shadow Brokers, to infect and spy on computer systems used in aerospace, nuclear energy, and other industries.

This is according to Kaspersky Lab, whose researchers today said the American snooping agency's DarkPulsar cyber-weapon – along with a pair of toolkits called DanderSpritz and Fuzzbunch that can remotely control infected machines – have been used by hackers to commandeer Windows Server 2003 and 2008 boxes in Russia, Iran, and Egypt.

The infected vulnerable servers are used in some 50 organizations within industries including aerospace and nuclear energy, particularly those with large IT and R&D departments. Hmmm. Continued at The Register:
What KnowBe4 Customers Say

"Hi Stu,

Absolutely love this tool. In the past, as a part of Security Maturity Program, it was my job to create and conduct employee annual training and regular phishing exercises MANUALLY that is why I appreciate KnowBe4 features a lot.

Now with KnowBe4, I can do so much more when it comes to individual’s assessment, acknowledgement and action. So far, I have done a baseline phishing test and soon going to launch Annual security training in November. I’m really excited about this launch and I’m sure users will love it too as it is far better than reading the 50-page slide pack that I used to offer them as a part of Annual training. I’m not even crossing my finger for this launch. So, I am a happy camper."
- K.V., Information & IT Security Analyst

"Yes, I have been very pleased with the KnowBe4 platform! We are rather early in our awareness training program and phishing campaigns, but I like what I see so far! As an admin, I am impressed with the variety of phishing templates, training and awareness media, and reporting options available. The dashboard is intuitive and easy to use.

"I have also received very positive feedback from my users about the training materials they have viewed so far. The videos and presentations have been engaging, informative, and pertinent. I have noticed users actually showing more interest in cyber security around our workplace: security topics coming up in water cooler conversations and in meetings, asking me questions about some security topic they've seen or read, etc.

I believe this is one of the best investments we've made this year."
- P.B., Network Administrator

P.S. If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
The 10 Interesting News Items This Week
    1. KnowBe4 Top-Clicked Phishing Email Subjects for Q3 2018. Send this INFOGRAPHIC to your users:

    2. 7 high-tech jobs to arrive in the near future, as envisioned by Cognizant:

    3. Experts Trace a Saudi Petrochemical Plant Cyberattack to Russia. WSJ:

    4. Culture the missing link for cybersecurity's weakest link:

    5. Hackers steal personal data of up to 9.4 million Cathay Pacific passengers:

    6. Government auditors traced a malware infection back to a single porn-watching employee within the U.S. Geological Survey:

    7. FFE Breach Compromises 75K Users' Data:

    8. Whack-a-Mole: The Impact of Threat Intelligence on Adversaries:

    9. These are the jobs expected to grow the most in the next five years. Check out the IT ones:

    10. China systematically hijacks internet traffic:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews