CyberheistNews Vol 8 #44 Has Microsoft Office 365 Beat Phishing?




CyberheistNews Vol 8 #44
Has Microsoft Office 365 Beat Phishing?

Roger Grimes, KnowBe4's Data-Driven Defense Evangelist has something to say about that...

"Microsoft recently announced a big update to their Microsoft Office 365 (O365) anti-phishing technical capabilities. According to Microsoft, their “miss phish catch rate” is down to near zero, beating all other O365 anti-phish competitors by orders of magnitude.

Has Microsoft Office 365 (0365) got phishing beat? Well, I wouldn’t get rid of your security awareness training just yet.

I think I have an interesting perspective. Until recently, I worked for Microsoft for over a decade and I still love the company, its people, and products. Microsoft security really is the best in the world. I’m also a long-term 0365 user for my private side work company. I’m now the data-driven defense evangelist for KnowBe4, the world’s largest security awareness training vendor.

I moved from Microsoft to KnowBe4 because I wanted to dedicate the remaining years of my computer security career to making the biggest impact in computer security possible. This isn’t hyperbole. Social engineering and phishing have been the number one way that malicious data breaches happen for over a decade.

If you want to have the biggest impact minimizing computer security risk you might as well jump into the lion’s den. And today, that means fighting social engineering and phishing.

From within Microsoft, I saw how hard Microsoft tried to stop phishing emails for its 0365 customers. Microsoft didn’t like that a majority of its large 0365 customers felt the need to purchase additional email protection. Every third-party anti-phishing purchase was a sign that Microsoft, itself, wasn’t doing enough to stop phishing.

It took years, but if you trust Microsoft’s data (and I have no reason to distrust it right now), it looks like Microsoft 0365 has some pretty solid anti-phishing results. According to their own data, phishing emails that escape detection and prevention are near zero percent. In fact, it’s hard to tell if their graphed data is saying exactly 0 percent or just above 0 percent. It’s that close, graphically.

The question some observers might have is if security awareness training is still worth the cost if Microsoft has “beat” phishing?" Continued at the KnowBe4 blog:
https://blog.knowbe4.com/has-microsoft-office-365-beat-phishing
Successful Pretexting Attacks Have Nearly Tripled Since 2017

Pretexting attacks are a growing threat to organizations, warn Chris Tappin and Simon Ezard from the Verizon Threat Research Advisory Centre. Verizon’s 2018 Digital Breach Investigation Report shows that 170 data breaches this year were caused by pretexting attacks, compared to 61 in 2017.

Tappin and Ezard attribute this rise primarily to poor security policies and a lack of security awareness among employees.

Pretexting is a targeted, social engineering-based attack in which attackers use continuous dialogue to build a sense of trust with the victim. By creating a fabricated scenario and posing as a senior employee or a trusted vendor, attackers manipulate victims into willingly giving up sensitive information, granting access to systems, or even transferring money. These attacks are surprisingly effective because they target the human element and are often able to compromise systems that have appropriate technical defenses in place.

Tappin and Ezard believe that security professionals often face “decision paralysis” brought on by the multitude of varied threats to their organizations. They recommend that these professionals focus first on ensuring that basic, fundamental security principles are being followed by employees.

Phishing and pretexting are not highly-technical attacks, yet they are among the top ten causes of all data breaches. Even the most sophisticated attackers use these methods because they are so effective.

Tappin and Ezard say that organizations need to educate their employees about malicious activity and compel them to respond if they see something suspicious. For example, employees should be encouraged to question strange or unexpected emails from their superiors. Pretexting attacks are successful when employees are unaware of the techniques used by attackers.

New-school security awareness training enables you to create a security culture in your organization by ensuring that employees are always on their toes with security top of mind.
The Pesky Password Problem: "Battle of the Red and Blue Teams" Featuring Kevin Mitnick

What really makes a “strong” password? And why are your end-users tortured with them in the first place? How do hackers crack your passwords with ease? And what can/should you do about your authentication methods?

In a recent quest to improve, NIST (the National Institute for Standards and Technology) has been looking at the problem from several angles and updated their guidance related to authentication systems and password composition. The resultant advice and implications were shocking for some and a relief to others.

In this unique webinar, you will learn about the recent NIST controversy and related password cracking problems. The “combatants” will be on the one side KnowBe4's Chief Hacking Officer, Kevin Mitnick with decades of first-hand “red-side” penetration testing experience, and on the other side, Roger Grimes, KnowBe4's Data-Driven Defense Evangelist with decades of experience on the blue team. The referee will be Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer.

They will provide an in-the-trenches view of authentication hacking, so that you get some insights about the truth of the effectiveness of passwords, various password management guidelines, and even stronger authentication systems using multiple factors.

Save Your Spot Now. Space is Limited!

Date/Time: Wednesday, November 14, 2018 at 1:00 (ET)
https://event.on24.com/wcc/r/1856107/295DE6CAB72FFD67B1323DDF19759750?partnerref=CHN
Are Your Compliance, Risk, and Audit Projects Taking up Too Much of Your Time?

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments is a continuous problem.

Good news! We are excited to announce the release of the new KCM GRC.

We have expanded the existing KCM product with new Risk and Policy Management modules, transforming KCM into a full SaaS GRC platform!

The new KCM GRC platform helps you get your audits done in half the time, is easy to use, and is surprisingly affordable. No more: "UGH, is it that time again!"

KCM GRC simplifies the challenges of managing your compliance, risk, and audit projects, enables you to efficiently manage GRC initiatives, and understand at a glance what items need to be addressed.

See how you can get audits done in half the time at half the cost!

Join us for a first look, Tuesday, November 13th at 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's new KCM GRC platform.

See how you can simplify the stress of managing your compliance requirements and save valuable time when risk assessments and audits cycles kick in:
    • Quick implementation with pre-built requirements templates for the most widely used regulations.
    • NEW Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
    • You can assign responsibility for controls to the users who are responsible for maintaining them.
    • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.

    • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Save My Spot!
https://event.on24.com/wcc/r/1856103/C9BA82206DB4A5982C803EB14005A0CE?partnerref=CHN
Scam of the Week: Fortnite and League of Legends Phishing Attacks

This is an excellent opportunity to sit down with your young'uns and explain the risks of online scams.

The most popular videogame in the world is Fortnite which makes the game a massive target for a variety of scams. League of Legends is a remote second but is also targeted by bad guys, possibly to obtain credentials for Fortnite because of password re-use.

Fortnite recently pulled their official APK from Google Play because they didn’t want to pay the 30% e-commerce distribution fees. They decided to go direct from their site. But because of this, Fortnite doppelgänger phishing sites have popped up all over the place, as well as distribution of malware-laden APK’s from look-alike sites.

Though Fortnite is a free game, players spend more than 200 million dollars each month on v-bucks, the game's digital currency. Players use v-bucks to purchase cosmetic items and skins; the currency can be earned through playing or purchased outright in the game's store.

The results is that online cyber criminals are targeting young "Fortnite Battle Royale" players with fake offers for free v-bucks. More than 4,700 websites are fraudulently offering free v-bucks as a front for phishing and credential theft. Demand for v-bucks will persist so long as "Fortnite" remains popular.

At the same time, a phishing scam is using fake login pages to target League of Legends (LoL) players. LoL is a free-to-play online game owned by Riot Games that averages 12 million daily players and sees over 100 million players during peak times. Its massive fanbase makes it an attractive target for phishing scams.

At the moment, the LoL attacks are taking place primarily in western Europe, mainly targeting France, Germany, and Spain. You can expect them in the UK and US after the scammers debug their beta campaigns. The sites are nearly identical to the legitimate login pages and are professional credentials phishing attacks.

Although LoL is free, Dark Reading reports that three out of five people reuse the same password across multiple services. As a result, if an attacker steals a password to someone’s LoL account, there’s a good chance that they can use that password to access other accounts belonging to the victim, like Fortnite.

I suggest you send the following to your friends, family, and employees and sit down with your kids for an object lesson in cybercrime. You're welcome to copy, paste, and/or edit:
The bad guys are targeting game players on the Fortnite and League Of Legends platforms. They are basically going directly after your children using phishing and social media. Specifically, they are offering free v-bucks, a digital currency used to buy virtual goods in Fortnite, but worth real money.

Please make kids aware that there are literally thousands of scam sites out there, trying to rope them in with social engineering tactics. Teach your kids to Think Before They Click! The best way to avoid scams is to only purchase v-bucks directly from the "Fortnite" store — and never share your account information online.
PS: Did you know that KnowBe4 has free security awareness training for the house? It's an hour worth of training that covers the areas parents are most concerned about regarding online safety. This is the link:
https://www.knowbe4.com/homecourse

and the password has been kept really easy by design: it's simply: homecourse

Let's stay safe out there!
Monster Ransomware Bundle Threatens to Make Cyber Attacks Devastatingly Simple for Bad Guys

Danny Palmer at ZDNet warned: "Some of the most potent forms of ransomware of 2018 are being offered for sale in a cut-price bundle deal on the dark web that also contains one of the most dangerous forms of file-encrypting malware to terrorize organizations this year.

SamSam is part of the 23 ransomware bundle -- significant because previously it's only been deployed by a highly specialized group. Other well-known forms of ransomware available in the 750-dollar '2018 ransomware pack' include Magniber, Satan, CryBrazil, XiaoBa, and more.

The pack has been uncovered by researchers at cyber security firm Sixgill who describe it as an "extraordinarily rare finding". The package is a grim reminder of just how easy it is for crooks to get hold of state-of-the-art malware to start their campaigns against businesses and consumers.

"This is the first time I've ever seen an underground vendor who sells an attack kit of ransomware which offers several different popular ransomware variants," Gilad Israeli, cyber intelligence analyst at Sixgill told ZDNet. More at:
https://www.zdnet.com/article/giant-ransomware-bundle-threatens-to-make-malware-attacks-easier-for-crooks/
KnowBe4 Wants to Know What Keeps You up at Night!

IT Pros today have lots of security concerns such as ransomware, external attacks, data breaches and compliance mandates. Some issues you have locked down tight, while others are making you crazy!

We want to know what aspects of IT security you have covered, and which ones have you worried sick!

In this fast, 5-minute online survey, we want to hear about what issues are of great concern to you and your organization.

Hurry and take the survey now - be one of the first 500 to take the survey and have a chance to win one of several 500-dollar Amazon gift cards! (or equivalent in your local currency)

TAKE THE SURVEY NOW
https://www.surveymonkey.com/r/23528MJ
See Ridiculously Easy Security Awareness Training and Phishing in Action

Old-school awareness training does not hack it anymore. Your email filters have an average 10.5 - 15% failure rate; you need a strong human firewall as your last line of defense.

Join us for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • NEW Virtual Risk Officer shows you the Risk Score by employee, group, and your whole organization.
  • NEW Advanced Reporting on 60+ key awareness training indicators.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 21,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Tomorrow, November 7, 2018 at 2:00 p.m. (ET)
Save My Spot!

https://event.on24.com/wcc/r/1856096/132A68B10C07C70F6A7AD4FDB392D928?partnerref=CHN

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: I recently wrote an article in Forbes which is great ammo for InfoSec budget:
https://www.forbes.com/sites/forbestechcouncil/2018/10/17/the-russia-problem-what-businesses-can-learn-from-cyberwarfare/#3f717b2e1238
Quotes of the Week
"Those who cannot remember the past are condemned to repeat it."
- George Santayana - Philosopher (1863 – 1952)

"Do not dwell in the past, do not dream of the future, concentrate the mind on the present moment."
- Buddha



Thanks for reading CyberheistNews
Security News
UK Universities Offering NCSC Courses Targeted

Iranians hackers targeted eighteen British universities, half of which offer courses approved by the UK’s National Cyber Security Centre (NCSC). The attack launched this year has lasted several months and has successfully penetrated at least one targeted university, perhaps others. It has not been determined if their offering NCSC courses led to the universities’ targeting.

An NCSC spokesman stated “universities are a popular target for hackers in search of intellectual properties.” The NCSC Active Cyber Defense, a program designed to improve universities cyber security defenses, has been responsible for thwarting twenty-three attempts on one universities website.

To make the emails look more authentic, the hackers created phony websites and phished people with university log-ins to steal their passwords. Dating from the creation dates of phony websites, the campaign has been active since May. The earliest hack against Lancaster University, the only university known to be partially penetrated. According to Lancaster “only a small number” of targets fell prey to the attack.

There are indications that the attacks may be linked to an earlier assault that stole research and published it on Iranian websites. The same group has been credited with creating new fake websites.

It's noteworthy that the phony pages display “green padlocks” to convey safety to visitors. Users should know that this means relatively little for their security. The “green padlock” only indicates traffic in and out of the site is being encrypted. It is not an indication that the site is safe. And the green padlock itself is well on its way out, with most current browsers having moved on from it.

So the padlock should at this point actually count as a bit of a red flag in itself. Let’s Encrypt, the US company that issued domain validation certificates to the hackers, told Forbes: “Lock icons in browsers are misleading people who mistakenly interpret lock icons as a sign the site is safe. Site safety is a completely separate issue. Browsers need to stop displaying lock icons on the basis of a secure connection”.

It comes down to the human element. Employees need to observe the credentials of websites they visit, checking for authenticity. Proper training can help your organization take control of your cyber security. Computing has the story:
https://www.computing.co.uk/ctg/news/3065382/hackers-target-uk-universities-accredited-by-ncsc
Hackers Are Increasingly Destroying Logs to Hide Attacks

According to a new report, 72 percent of incident response specialists have came across hacks where attackers have destroyed logs to hide their tracks.

Hacker groups are increasingly turning to log file destruction and other destructive methods as a means to hide their tracks, according to a report released this week and containing information from 113 investigations performed by 37 Carbon Black incident response (IR) affiliate partners from across the globe.

According to the report, "politically motivated cyberattacks from nation-state actors have contributed to an ominous increase in destructive attacks: attacks that are tailored to specific targets, cause system outages and destroy data in ways designed to paralyze an organization's operations."

Carbon Black said that hacker groups are getting better at what the company calls "counter-incident response."

They said that hackers attempted counter-incident response in 51 percent of all incidents the company and its partners investigated in the last 90 days.

"We've seen a lot of destruction of log data, very meticulous clean-up of antivirus logs, security logs, and denying IR teams the access to data they need to investigate," an IR professional said.

In fact, according to the Carbon Black report, 72 percent of all its partner IR professionals saw counter-IR operations in the form of destruction of logs, which appears to have become a standard tactic in the arsenal of most hackers.

But in some cases, hackers took log destruction and other counter-incident response operations to a new level, and in some cases, their actions resulting in more lasting damage.

Our respondents said victims experienced such attacks 32% of the time," Carbon Black said in its report.

"We've seen a lot of destructive actions from Iran and North Korea lately, where they've effectively wiped machines they suspect of being forensically analyzed," an IR professional said.

"Attackers want to cover their tracks because they're feeling the pressure from law enforcement," another IR professional said.

But Carbon Black also points out that the cyber-security industry, as a whole, has also gotten much better at incident response, hence attackers' increased focus on removing logs and even wiping systems, just to be on the safe side. Continued at:
https://www.zdnet.com/article/hackers-are-increasingly-destroying-logs-to-hide-attacks/
Action Fraud Warns of Widespread Phishing Campaign in the UK

Scammers are targeting people in the UK with fake TV Licensing emails, Action Fraud warns. The fraud reporting center says it has received 2,685 reports of this scam in September and October alone. The emails tell recipients to click on a link in order to correct their licensing information, update their billing information, or renew their licenses.

This link takes victims to a realistic-looking TV Licensing site designed to collect as much sensitive information as the victim will provide. In addition to prompting users to enter their payment details, the site also asks victims for personal information, including their name, date of birth, address, phone number, and email.

The site may also ask for the maiden name of the victim’s mother, suggesting that the attackers may attempt to hack into other online accounts belonging to the victim.

TV Licensing says you should be suspicious of emails with subject lines such as “Action required,” “Security Alert,” “System Upgrade,” or “There is a secure message waiting for you.” Those lines should raise red flags for any email recipient. The organization also says to watch out for spelling or grammar mistakes in the emails, and for wording that seems strangely casual or familiar.

Additionally, you should always hover over a link to check its destination. If you’re unsure, it’s safer to go directly to the TV Licensing website without clicking the link.

“TV Licensing will never email customers, unprompted, to ask for bank details and/or your personal information, or tell you that you may be entitled to a refund,” a TV licensing spokesperson told Action Fraud, echoing a common sound practice many organizations have adopted. “We encourage anyone who has provided their details as a result of a fraudulent email to contact their bank urgently and to report the email to Action Fraud.”

Scammers are always improving their craft and coming up with new ways to dupe people into providing sensitive information. Employees need up-to-date education and hands-on training to keep up with this constantly evolving threat. Interactive awareness training can give your employees the knowledge and experience necessary to avoid falling victim to scams.

Action Fraud has the story:
https://www.actionfraud.police.uk/alert/action-fraud-warns-against-fake-tv-licensing-emails-as-over-2500-reports-are-made-in-two-months-alone
Attackers Use Phishing Websites to Target Universities Around the World

Universities are popular targets for cybercriminals, according to researchers at Kaspersky Lab. The researchers detected 961 phishing attempts against 131 educational institutions over the past year. 83 of these schools were located in the US, while 21 were in the UK. The University of Washington topped the list with 111 attempted attacks, followed by Cornell University and the University of Iowa.

The attacks usually involve spoofed websites that are nearly visually identical to legitimate school sites but have slightly different URLs.

Educational institutions may seem like unglamorous targets compared to banks, healthcare organizations, and online retailers. But we've noted before in this blog that criminals have undertaken phishing expeditions against colleges and universities to commit, for example, student loan fraud. There are other good reasons why colleges and universities make attractive targets. Consider the vast amount of intellectual property and personally identifiable information they have.

Faculty and students at universities perform groundbreaking research and development on subjects in virtually every field. Additionally, university researchers often partner with private-sector companies and government agencies, potentially leaving data belonging to those organizations open to compromise as well.

Universities can in some ways be more difficult to secure than other kinds of organizations. These schools welcome thousands of new students each year, while thousands of others leave. All of these students use their own devices to access university web services and can often do so from anywhere in the world.

This creates a very large attack surface, and many universities lack the funds to implement adequate security controls across the board.

An essential recommendation for university security teams is to set up two-factor authentication for their organizations. However, one of the best ways to prevent credentials from being stolen in the first place is by educating students and faculty on security best practices.

New-school, interactive awareness training can provide students with knowledge and habits that will still be applicable long after they graduate. And similar advice applies to any organization and its employees. The Gazette has the story:
https://www.thegazette.com/subject/news/education/university-of-iowa-among-top-phishing-targets-per-kaspersky-lab-20181026
What KnowBe4 Customers Say

"Hello Stu, thank you for the follow up, and YES! Definitely a happy camper! We are having positive results with KnowBe4. We will be starting the training soon so that we can improve our users security awareness. We were amazed with the positive results of the baseline test.

Because phishing scams are becoming more sophisticated the training is a really good way to teach our users not only for the company, but for them to be aware in their personal life as well!

The customer service team has been awesome assisting us with getting set up and my rep Jonathan McHenry did a really good job explaining everything and how it works. The Technical Support team was also very patient and helpful with the whitelisting process and other technical support needs!

Thank you again for following up and we are definitely enjoying KnowBe4, the rick roll landing page is AWESOME!" - K.S., Information Technology Support



PS, If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
https://www.gartner.com/reviews/market/security-awareness-computer-based-training
The 10 Interesting News Items This Week
    1. Krebs on Security: "SMS Phishing + Cardless ATM = Profit":
      https://krebsonsecurity.com/2018/11/sms-phishing-cardless-atm-profit/

    2. Getting Employees On Board With Cybersecurity Awareness:
      https://www.rsaconference.com/podcasts/getting-employees-on-board-with-cybersecurity-awareness?

    3. Announcing the 100 Best Workplaces for Women. KnowBe4 is #2 in SMB:
      https://www.prnewswire.com/news-releases/announcing-the-100-best-workplaces-for-women-300740011.html

    4. Relating Artificial Intelligence and Machine Learning:
      https://aitrends.com/machine-learning/artificial-intelligence-vs-machine-learning/

    5. GandCrab ransomware crew loses $1Mil after Bitdefender releases free decrypter:
      https://www.zdnet.com/article/gandcrab-ransomware-crew-loses-1mil-after-bitdefender-releases-free-decrypter/

    6. US Citizen Voter Records Hacked and Now for Sale on the Dark Web:
      https://www.makeuseof.com/tag/us-voter-records-hacked/

    7. Why a Helium Leak Disabled Every iPhone in a Medical Facility:
      https://motherboard.vice.com/en_us/article/gye4aw/why-a-helium-leak-disabled-every-iphone-in-a-medical-facility

    8. 10 Chinese nationals charged with corporate espionage...used phishing to get in:
      https://www.engadget.com/2018/10/31/chinese-turbofan-hack-extradition/

    9. Nation-State Hackers Target Managed Service Providers to Access Large Companies:
      https://www.wsj.com/articles/nation-state-hackers-target-managed-service-providers-to-access-large-companies-1541013256

    10. The Cybersecurity 202: There is more phony political news on social media now than in 2016, report says:
      https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/11/01/the-cybersecurity-202-there-is-more-phony-political-news-on-social-media-now-than-in-2016-report-says/5bd9e03e1b326b37e00b5a52/
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.



Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews