CyberheistNews Vol 8 #48 [Heads-Up] Bad Guys Love Marriott: 500 Million Data Breach Is Phishing Heaven

CyberheistNews Vol 8 #48
[Heads-Up] Bad Guys Love Marriott: 500 Million Data Breach Is Phishing Heaven

So, I guess we have just reached the tipping point, it's "privacy game over" for business travelers.

For about 327 million of the 500, the breached data includes names, mailing addresses, phone numbers, email addresses, passport numbers (!), Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

The company said in a statement that it discovered "unauthorized access" to the database, which extended back until 2014. In some cases, payment card numbers and expiration dates were also taken, but Marriott said it's unclear whether the hackers have information to decrypt the payment card numbers.

Marriott said it has set up a website for consumers impacted by the hack, at, and a call center. "Call volume may be high, and we appreciate your patience," the company said. Starwood is sending an email to all addresses affected.

Here is where the bad guys come in.

You can expect a raft of phishing attacks that try to exploit this data breach, either by using just scare tactics, or by using actual data from the breach itself to make it look as real as possible.

If you are a KnowBe4 customer, we strongly recommend you inoculate your users and send a simulated phishing attack to your users that uses this Marriott data breach as the theme.

Two new phishing templates and a landing page have been added to our Current Events phishing templates category. Use them to prepare your users before the bad guys use social engineering tactics and trick them. Each template leads to a fake Marriott login page to mimic a credentials phishing attack.

Grab these template and landing pages and send it to either all users, or if you have a Smart Group containing your frequent travelers, that would be the first priority.

If you are not a KnowBe4 customer yet, we suggest you step your users through this free module that is available until the end of December 2018! “Safe Travels For Road Warriors" is a 12-minute animated course with lots of interactivity for those that travel for business—and some very helpful tips for personal travel too.

You will find this module as step 5 of a blog post with some practical advice for business travelers here:
Don’t Miss the December Live Demo: Simulated Phishing and Security Awareness Training

Old-school awareness training does not hack it anymore. Your email filters have an average 10.5-15% failure rate; you need a strong human firewall as your last line of defense.

Join us this week, Wednesday, December 5, 2018, at 2:00 p.m. (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • NEW Virtual Risk Officer shows you the Risk Score by employee, group, and your whole organization.
  • NEW Advanced Reporting on 60+ key awareness training indicators.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 22,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, December 5, 2018, at 2:00 p.m. (ET)

Save My Spot!
Attackers Impersonate CEOs to Scam Employees Into Sending Gift Cards for the Holidays

A crafty mix of social engineering, great timing, and context act as the perfect ingredients to trick unwitting users into buying gift cards and placing them into the hands of the attacker.

At the end of the year, nearly every company is thinking about holiday bonuses, corporate gifts, and holiday greeting cards for customers. So, it’s not unusual to think that the head of an organization might want to give out some gift cards to select employees at this time of year.

This all-too-common scenario is being taken advantage of by cybercriminals, according to the latest threat spotlight from security company Barracuda. Using simple impersonation tactics, the bad guys pose as the CEO asking an office manager, executive assistant, or receptionist to discreetly purchase some gift cards that will be used as gifts to employees.

Using well-researched personnel details, these cybercriminals are able to identify an appropriate individual to target, send them an email from the CEO’s supposed personal account, implying a sense of urgency to move the victim to act.

What makes these attacks so successful boils down to a few factors:
    • They are filled with contextual goodness – these attacks get so many details right: the CEO’s name, the recipient selected, the time of year, and the reason for the gift card purchase. In an employee’s mind, this is all very plausible.
    • There’s no malware – this is a malware-less attack, with no links or attachments for an AV or endpoint protection solution to spot.

    • They leverage the power of the CEO – this is important. When the CEO says jump, generally people say how high? The fact that the request is coming from the CEO is usually sufficient motivation to make the recipient comply.
I can think of only two real ways to stop attacks like this:
    • Process – anytime a request is made to purchase something over a certain amount via email, a phone call should follow to verify the request.

    • Education – users that continually go through security awareness training should spot this a mile away. The email details and the abnormality of the request are red flags to a user with an elevated security mindset. Users that step through security awareness training are educated on the scams run, tactics used, what to look for, and, generally, to maintain a state of vigilance when it comes to their interaction with email and the web.
This impersonation attack is simple but effective. Protect your organization by enabling your users to be the last line of defense in your security strategy before an attack like this hits.

CEO Fraud Prevention Manual Download

CEO fraud has ruined the careers of many executives and loyal employees. Don’t be next victim. This brand-new manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim. Download at the KnowBe4 blog:
"2019 Crystal Ball" Live Webinar: What Security Experts Worry About for 2019

Phishing getting laser-focused? Highly targeted ransomware attacks? Continued cryptojacking? Evil AI-based attacks? With 2018 coming to an end, it's time to dust off the crystal ball and see what 2019 has in store.

In this thought-provoking webinar, KnowBe4's Founder & CEO, Stu Sjouwerman, along with Chief Evangelist & Strategy Officer, Perry Carpenter, will take you into the future of social engineering and cybercrime.

Stu and Perry will give you a run-down of the big themes of 2018 and then dive deep into their predictions of what you need to prepare your organization and people for next year. You can't afford to miss this one.

Key topics covered in this webinar:
  • Understanding the current threat landscape
  • What has security experts worried for 2019
  • Next innovations of phishing, social engineering and crimeware
  • How to make your organization a hard target
  • Ways you can strengthen your last line of defense, your users
Date/Time: Thursday, December 13, 2018, 2:00 PM ET

Save My Spot!
Reminder: That Padlock Doesn’t Mean It’s Secure

We’ve mentioned this before, but the misconception has surfaced again, and it’s worth mentioning again. Looking for the padlock as a sign of a secure legitimate website isn’t an accurate indication that a site is malware free. Recent research indicates that nearly half of all phishing sites display the padlock and a web address that begins with https.

Data from PhishLabs show that 49% of all phishing sites in third quarter 2018 had the lock icon. This is up 25% from a year ago. Since a majority of users take “look for the lock” to heart, this new finding is significant. 80% of the respondents to a PhishLabs survey believed the lock indicated a legitimate and safe website.

Remind Employees, That Padlock Doesn’t Mean It’s Secure

Remind employees that the https portion of the address signifies that the data being transmitted is encrypted and so can’t be read by third parties. The padlock itself signifies nothing more than this. Its appearance may mean nothing more than that criminals are just lending some bogus credibility to their site.

John LaCour, chief technology officer for PhishLabs, said, “The bottom line is that the presence or lack of SSL doesn’t tell you anything about a site’s legitimacy.” More:
Live Demo: KCM GRC - Get Your Audits Done in Half the Time

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments is a continuous problem.

We listened! We have expanded the existing KCM product with new Risk and Policy Management modules, transforming KCM into a full SaaS GRC platform!

Join us Wednesday, December 12th at 1:00 PM (ET), for a 30-minute live product demonstration of the new KCM GRC platform from KnowBe4. See how you can simplify the challenges of managing your compliance requirements and ease your burden when it’s time for risk assessments and audits.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • NEW Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Wednesday, December 12th at 1:00 PM (ET)

Save Your Spot!

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Check out the *new* position that KnowBe4 has in the new Gartner Magic Quadrant!
Quotes of the Week
"I feel that there is nothing more truly artistic than to love people." - Vincent Van Gogh

"Art, freedom and creativity will change society faster than politics." - Victor Pinchuk

Thanks for reading CyberheistNews
Security News
Learning a 120K Lesson the Hard Way

The bank isn’t always responsible for making you whole after a business email compromise. Indiana’s Lake Ridge Schools lost more than $120,000 from a seven-million-dollar construction fund established to build an athletic complex.

The funds were stolen via a wire transfer ordered through a hacked email account. That account belonged to a business manager who was authorized to request payments. The money was requested in the form of wire transfers to several people thought to be contractors on the project.

At the time the wire transfers were requested, the business manager was on vacation and the bank, BNY Mellon had received an out-of-office notification days before. Full Story at the KnowBe4 blog:
Why Insurance Brokers Need to Talk About Ransomware

Ransomware attacks are increasing, and as a result, there will likely be a shift in brokers and clients alike starting to recognize the value of the business interruption component of a cyber insurance policy, a specialist insurer said Monday.

“Cybercrime and theft of funds is still largely our largest source of claims by frequency on the business interruption side as a result of ransomware,” said Lindsey Nelson, international cyber team leader with CFC Underwriting. Privacy breaches as a result of a hack constitute only 12% of the insurer’s claims activity.

While cyber discussions often revolve around privacy, ransomware attacks appear to be on the upswing. Think about the cyberattacks on the Ontario municipalities of Wasaga Beach and Midland earlier this year, and the recent one in Mekinac, Que. in which the region’s servers were reportedly disabled for about two weeks.

“So, the costs that are incurred with municipalities are things that people don’t actually spend too much time selling cyber on,” Nelson said in an interview. “It’s all those system damage and rectification costs when systems go down and people have to wipe their servers completely clean as a result of ransomware. It’s the cost to rebuild those systems from scratch.”

Nelson calls ransomware the exact opposite of a privacy breach because it locks data so that nobody can see it rather than accidentally disclosing it to somebody who should not be viewing it. “Municipalities who historically have poor IT systems and risk management in place because of their constrained IT budgets, are now experiencing falling victim to these ransomware attempts.”

Professional firms – law, accounting, property management and engineering – are about 60% of cyber buyers in CFC’s portfolio. One of the insurer’s property management firm clients fell victim to a ransomware attack. The firm was creating financial reports for their clients on a monthly basis. But due to the attack, they had to manually create the reports, creating errors. “That ended up experiencing a drop-off in their customers over a 12-month indemnity period.”

It used to be a ransomware attack was more financially motivated, but “we’re seeing a shift away from the financial motivation towards just destructive in their nature so that even when people do pay the ransom, they’re not able to get the decryption key back,” Nelson reported. “The intent is solely to ensure their systems go down and they suffer system damage loss.” Full Story:
The Return of Email Flooding

In addition to hacktivism, email flooding is again being used as a smokescreen for more dangerous phishing techniques such as business email compromise, spear phishing and malware. Criminals use the email flood to distract victims and to exhaust security resources while they perpetrate fraudulent transactions. By the time the targeted person or organization clears the clutter and discovers the legitimate emails notifying them of account changes or suspicious activity, the attackers have made off with the funds.

An old attack technique is now making its way back into the mainstream with an onslaught of messages that legacy tools and script writing can't easily detect.

Imagine your inbox receiving 15,000 messages over the course of just a few days. What would certainly be an extreme nuisance could also translate into a huge productivity and operations liability, taking days or even weeks to return your primary method of communications back to normal.

Known as email flooding, this easy-to-implement technique is re-emerging among attackers for two primary reasons: to deliver the messages and demands of hacktivists, and as a diversionary tactic to help perpetrate financial or operational fraud. Read the full story at DarkReading:
Now Russian Hackers Are Using Brexit as Part of Their UK Cyber Attacks

In a Nutshell: Targets in the UK are sent an email with an attachment named Brexit 15.11.2018.docx. If they open it, they're met with jumbled-up text and a claim of an error relating to the document being created in an earlier version of Microsoft Word.

Next, users are urged to 'enable content' to see what the document claims to contain -- but if they follow through with this request, it enables macros and allows malicious-macro-enabled content to retrieve and deliver malware.

The malicious payload is Zeboracy, a trojan that has previously been observed being deployed as part of cyber espionage campaigns working out of Russia.

UK's departure from the European Union appears to be the latest in a line of current affairs topics which Russian hacking group Fancy Bear -- also known as APT28, Sofacy and a variety of other names -- is using in an effort to trick targets into opening emails and downloading malware.

It's believed that the campaign has actively targeted government departments -- particularly ministries of foreign affairs, political think-tanks, and defence organisations across Europe.

"The threat group is likely to be seeking access to insights on the latest political affairs, including confidential documents on national interests related to current news headlines such as Brexit," Michael Yip, security principal at Accenture Security's iDefense Threat Intelligence, told ZDNet.

Fancy Bear has been linked to a number of high-profile cyber campaigns in recent years, including the cyber attacks and disinformation as a means of interference around the US Presidential election.

It's also thought to have conducted additional espionage campaigns against a number of nation-states and international organisations. Full story at ZDNet:
What KnowBe4 Customers Say

"Yep, we’re doing just fine. Ran our first phishing campaign, and it went exactly as I predicted, right down to the percentage point. We will be revealing the results to our company on December 5. Already have a group policy ready to go to install the Phish Alert Button, and will engage our staff with a little phishing identification contest in January.

Who says internal phishing campaigns have to be negative? Not me! Thanks,
B.D., IT Operations Engineer

Stu, Thank you for checking in! I am doing monthly phishing campaigns along with training and utilizing the Phish Alert Button reports. Everything is great so far and customer service is excellent! Thanks,
B.A. Vice President

PS, If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
Live in Europe? KnowBe4 Wants to Know What Keeps You up at Night!

IT Pros today have lots of security concerns such as ransomware, external attacks, data breaches and compliance mandates. Some issues you have locked down tight, while others are making you crazy!

We want to know what aspects of IT security you have covered, and which ones have you worried sick!

In this fast, 5-minute online survey, we want to hear about what issues are of great concern to you and your organization.

Hurry and take the survey now - be one of the first 500 to take the survey and have a chance to win one of several 500-dollar Amazon gift cards! (or equivalent in your local currency)

The 10 Interesting News Items This Week
    1. Marriott Breach Exposes More Than Just Customer Info. Did They Get In With Phishing?

    2. "How I Lost My $50,000 Twitter Username." Interesting social engineering story:

    3. Moscow's new cable car system infected with ransomware two days after launch:

    4. We Need to Talk About NIST’s Dropped Password Management Recommendations:

    5. Justice Dept. announces indictment of two Iranians in SamSam ransomware scheme:

    6. After a Hiatus, China Accelerates Cyberspying Efforts to Obtain U.S. Technology:

    7. Mass router hack exposes millions of devices to potent NSA exploit:

    8. Russian Hackers Haven't Stopped Probing The US Power Grid:

    9. Someone Hacked 150,000 Printers to Promote PewDiePie YouTube Channel:

    10. The Massive Marriott Data Breach: Some Practical Advice For Business Travelers:

    11. BONUS:KnowBe4 Fresh Content Update & New Features November 2018:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews