CyberheistNews Vol 8 #49

CyberheistNews Vol 8 #49
Why You Need to Make Security Awareness Training Mandatory. Read This Horror Story.

OK, so here is a horror story that you can prevent from happening in your own organization. Now and then we hear that KnowBe4 customers do not make the security awareness training mandatory, and that they allow their employees to choose whether they do the training or not. This is not a good idea. I am expressing myself mildly.

Here is some ammo to help you get management convinced that the training should be mandatory. This is an email we received from a system admin who sent this to all his users, (the names are changed to protect the innocent).
From: Jonas
Sent: Monday, December 03, 2018 1:17 PM
Subject: URGENT Information- I NEED YOUR HELP

Hello, Last week we had two incidents where $750,000 and $35,000 were stolen from the company by cyber crime. These amounts will most likely never be recovered. This should not have happened. These thefts occurred by allowing the bad guys into our network by what is call “Phishing".

"Jonas" continues that 5 email accounts had been comprised and that they had become the victim of CEO fraud. You can imagine how the rest of this letter read. He basically begs his users to do the awareness training. It's here at the KnowBe4 blog:

55% of Companies Don't Offer Mandatory Security Awareness Training

A new study from our friends at Mimecast revealed that although most cyberattacks begin by compromising an end user, often via phishing attacks, a majority of organizations are not sufficiently training their end users to recognize those attacks. This new report showed that just 45% of organizations provide employees mandatory, formal cybersecurity training; another 10% give optional training.

According to Mimecast, even those organizations that require formal security training only do so sparingly: Six percent conduct sessions monthly, 4% quarterly, and 9% only when onboarding a new employee.

In addition, nearly one in four employees are not aware of common cyberthreats, such as phishing and ransomware, the study says. Sixty-nine perfect are using corporate devices for non-work reasons (including news, personal email, social media). And then there are the extreme users; one in 10 employees are using business devices for personal use more than four hours per day.

Nearly a Quarter of Your Users Will Shop Online at Work This Season

Staffing firm Robert Half Technology just reported that employees may be checking off shopping lists, not work tasks, this holiday season. Three-quarters (75 percent) of workers surveyed admitted to shopping during work hours on a company device, and 23 percent of all respondents said they plan to spend even more time on online bargain hunting while at the office.

If your organization has security-unsavvy users, you are at higher risk than normal until the end of the year. Stepping them through new-school security awareness training which includes frequent simulated phishing attacks is a must today.

Find out how affordable new-school security awareness training is for your organization. Get a quote now and your program in gear for 2019, there are end-of-year specials going on at the moment:
When Does a Legitimate Password Reset Email Feel Like a Phishing Attack? Just Ask Citrix Users

A recent password reset email from ShareFile (a Citrix company) put some users on edge, questioning both the emails legitimacy and why the reset.

Very seldom do we ever get a “please change your password” email from a cloud vendor; unless it’s in response to a data breach, most of us, at best, have seen a request to update passwords as part of a routine logon.

But last week Citrix’s Enterprise File Sync and Share (EFSS) company, ShareFile, sent out an email notice informing users a password reset was required.

Brian Krebs, from KrebsOnSecurity contacted Citrix, asking point-blank if a data breach had occurred, and was informed one had not occurred. He was told by Citrix spokesperson, Jamie Buranich:

“This is not in response to a breach of Citrix products or services. Citrix forced password resets with the knowledge that attacks of this nature historically come in waves. Attacker’s additional efforts adapt to the results, often tuning the volume and approach of their methods. Our objective was to minimize the risk to our customers. We did not enforce a password reset on accounts that are using more stringent authentication controls. Citrix also directly integrates with common SSO solutions, which significantly reduces risk.”

However, comments from the Krebs article on this password reset email stated that even users with multi-factor authentication in place received the email.

It feels like a phish, though... Here is the story with screenshots:
"2019 Crystal Ball" Live Webinar: What Security Experts Worry About for 2019

Phishing getting laser-focused? Highly targeted ransomware attacks? Continued cryptojacking? Evil AI-based attacks? With 2018 coming to an end, it's time to dust off the crystal ball and see what 2019 has in store.

In this thought-provoking webinar, KnowBe4's Founder & CEO, Stu Sjouwerman, along with Chief Evangelist & Strategy Officer, Perry Carpenter, will take you into the future of social engineering and cybercrime.

Stu and Perry will give you a run-down of the big themes of 2018 and then dive deep into their predictions of what you need to prepare your organization and people for next year. You can't afford to miss this one.

Key topics covered in this webinar:
  • Understanding the current threat landscape
  • What has security experts worried for 2019
  • Next innovations of phishing, social engineering and crimeware
  • How to make your organization a hard target
  • Ways you can strengthen your last line of defense, your users
Date/Time: Thursday, December 13, 2018, 2:00 PM ET

Save My Spot!
[Scam of the Week] New Sextortion Attacks Take a Dark Turn and Infect People With GandCrab Ransomware

Our friends at Proofpoint reported that last week employees in the United States have been bombarded by a spam attack that pushed a double-whammy of a sextortion attempt combined with a possible ransomware infection.

Starting around May 2018, there have been a number of attack waves pushing different versions of sextortion threats.

There have been sextortion scams where the criminals claimed they were from China, where the hackers claimed they intercepted a user's computer cache data, where the hackers claimed to have hacked all of a victim's online accounts, where crooks claimed they hacked the victim's phone, or where crooks claimed to have recorded the user via his webcam while visiting adult sites.

These themes vary almost on a weekly basis, as scammers professionally test different themes and tactics to determine the best ROI. And they've been making money hand over fist.

But this week, sextortion scams took another dangerous turn. Security researchers at Proofpoint blogged they've seen a variation of a sextortion scam campaign that included a download link at the bottom of the blackmail message.

The scammers claimed to have a video of the user pleasuring himself while visiting adult sites, and they urged the user to access the link and see for himself. But Proofpoint says that instead of a video, users received a ZIP file with a set of malicious files inside.

Users who downloaded and ran these files would be infected by the AZORult malware, which would immediately download and install the GandCrab ransomware. Even if the user had no intention of paying the sextortion demand, curious users would still end up being held for ransom if they were careless enough to follow the link and ran the files they received.

You should warn your users to delete these emails, or better yet, click on the (free) Phish Alert Button and report them your organization's IT Incident Response team.

Here is the blog post with links and a ready-to-send blurb you can email to your users:
Live Demo: KCM GRC - Get Your Audits Done in Half the Time

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments is a continuous problem.

We listened! We have expanded the existing KCM product with new Risk and Policy Management modules, transforming KCM into a full SaaS GRC platform!

Join us Wednesday, December 12th at 1:00 PM (ET), for a 30-minute live product demonstration of the new KCM GRC platform from KnowBe4. See how you can simplify the challenges of managing your compliance requirements and ease your burden when it’s time for risk assessments and audits.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • NEW Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Wednesday, December 12th at 1:00 PM (ET)

Save Your Spot!
[LAST CHANCE] Will you get spoofed over the holidays? Find out for a chance to win!

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against unless your users are highly ‘security awareness’ trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. Plus if you’re in the US or Canada, you'll be entered for a chance to win a $500 Amazon Gift Card* (just in time for the holidays)!

Hurry, offer ends December 14th. Find out now if your email server is configured correctly, many are not...

Try to Spoof Me!

*Sweepstakes end date: 12/14/18. US and Canada Only. Terms and conditions apply.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Check out the *new* position that KnowBe4 has in the new Gartner Magic Quadrant!
Quotes of the Week
"My general attitude to life is to enjoy every minute of every day. I never do anything with a feeling of, 'Oh God, I've got to do this today.'" - Richard Branson

"Just don't give up trying to do what you really want to do. Where there is love and inspiration, I don't think you can go wrong." - Ella Fitzgerald

Thanks for reading CyberheistNews
Security News
Cybercriminal Group Uses Contact Lists to Target Tens of Thousands of CFOs

A cybercriminal group has compiled a list more than 50,000 corporate executives for use in business email compromise (BEC) attacks, according to researchers at Agari. Over half of the 50,000 executives on their list were located in the US, and 35,000 of the targets were chief financial officers.

The criminal gang, which the researchers call “London Blue,” uses information obtained from commercial data brokers to conduct massive, targeted phishing campaigns, without investing the time and effort that normally goes into spear-phishing attacks.

The researchers discovered London Blue when the group targeted Agari’s CFO by posing as the company’s CEO. Agari employees recognized the email as fraudulent and corresponded with the attackers to draw them in. Through this engagement, researchers were able to glean information about the group’s activities.

London Blue’s principal members are in located in Nigeria. Seventeen of its constituents, primarily money mules, are located in Western Europe and the United States. The group exhibits the competence and proficiency of a massive business, with members filling various roles that would be found in any professional company.

“London Blue operates like a modern corporation,” the researchers write. “Its members carry out specialized functions including business intelligence (lead generation), sales management (assignment of leads), email marketing (semi-customized BEC attack emails), sales (the con itself, conducted with individual attention to the victim), financial operations (receiving, moving and extracting the funds), and human resources (recruiting and managing money mules).”

Researchers believe the group has already stolen hundreds of thousands of dollars. According to the FBI, BEC attacks in general have caused over $12 billion in global losses over the past five years, and are increasing in popularity. These attacks appeal to criminals because they generally don’t involve complex hacking techniques. Instead, they trick individual employees into transferring money directly into the attackers’ pockets.

New-school security awareness training can help give employees the experience necessary to recognize social engineering attacks, regardless of what form they may take. ZDNet has the story:
GreyEnergy Malware Spreads Through Phishing Emails

The GreyEnergy APT primarily uses phishing emails as its initial infection method, according to analysis by Nozomi Networks. The malware has been targeting industrial control systems in Ukraine and Eastern Europe for years, and uses tools that allow it to avoid detection within networks for extended periods of time.

According to Alessandro Di Pinto, a security researcher at Nozomi Networks, the phishing emails contain a Word document that asks victims to “Enable Content.” Once this button is clicked, the malware begins its execution. The malware sample analyzed by Di Pinto was likely used for espionage campaigns rather than infecting industrial control systems. While malicious Word documents are a common mode of infection in attack campaigns, Di Pinto says that, in this case, the sophistication of the malware makes it stand out.

“Having completed my analysis, it’s evident that the GreyEnergy packer does a great job of slowing down the reverse engineering process. The techniques used are not new, but both the tools and the tactics employed were wisely selected. For example, the threat actor chose to implement custom algorithms that are not too difficult to defeat, but they are hard enough to protect the malicious payload.

Additionally, the broad use of anti-forensic techniques, such as the wiping of in-memory strings, underline the attacker’s attempt to stay stealthy and have the infection go unnoticed.”

All of this takes place after a victim enables macros in the malicious Word document. The vast majority of security breaches start with phishing attacks because attackers know that phishing is as effective as it is easy to carry out. If just one employee falls for a scam, attackers can gain a foothold within the network. New-school, interactive awareness training is an essential tool for organizations to give their employees the ability to identify phishing emails. Infosecurity Magazine has the story:
Google Maps’ Bank Listings Updated by Scammers

Scammers are taking advantage of Google Maps by modifying the contact information of the service’s bank listings. After replacing banks’ legitimate phone numbers with numbers of their own, the attackers wait for victims to call and then trick them into revealing sensitive information.

This scam is harder to detect than most, since the victim is the one who initiates contact with a supposedly trusted source. The scammers know that anyone who calls the number will think they are calling their bank, which likely gives the scammers a much higher rate of success than they would get from cold-calling unsuspecting people.

Since Google Maps can be edited by anyone, the service relies on the trustworthiness of its users to update its listings with accurate information. Inevitably, people with malicious intent found a way to abuse the service. Google issued the following statement in response to these scams:

“Overall, allowing users to suggest edits provides comprehensive and up-to-date info, but we recognize there may be occasional inaccuracies or bad edits suggested by them. When this happens, we do our best to address the issue as quickly as possible.”

Any service that offers user-generated content has potential inaccuracies. Rather than relying on Google Maps for contact information, it’s a better idea call the number on the back of your bank card or to go directly to a bank’s website to find its phone number. Awareness training can give employees the ability to identify situations in which they should be wary of misinformation. HackRead has the story:
The Case for a Human Security Officer

Interesting opinion piece in DarkReading. Wanted: a security exec responsible for identifying and mitigating the attack vectors and vulnerabilities specifically targeting and involving people.

It is clear that end users are a major, if not the primary, attack vector for most significant attacks. Whether using phishing, traditional social engineering, or physical compromise, sophisticated attackers know that it is easier for them to find a successful entry point into an organization by targeting users instead of by probing for technology weaknesses. As important, well-meaning users cause more damage in aggregate than malicious parties ever could. In response, there is a focus on trying to make users more resilient through awareness.

The reality is that this works to an extent, but more is required.

Technology is in place to stop user actions in advance, as it should be. In the safety field, it is believed that around 90% of workplace accidents are avoided by creating an environment that prevents employees from being exposed to situations where they can be injured. For example, in one factory where employees were frequently struck by forklifts, they painted a line down aisles, creating distinct walkways. This one change alone reduced almost all accidents involving forklifts. The remainder of the incidents were the result of walkers who were looking at their cellphones and drifted into the forklift because they weren't paying attention.

In the cybersecurity world, one equivalent of creating a secure environment is anti-malware software, spam filters, and PC protections that prevent users from installing software. Creating a secure environment filters out more than 99.9% of potential attacks before they can reach the user, or stops the user from causing damage. But clearly, attacks still make it through, which means awareness is still necessary to reduce the risk.

The truth is that awareness programs should focus on how users should do their jobs properly and not on what they should be afraid of. This requires a definition of proper governance. You cannot expect users to detect every possible trick, but they should at least be able to follow proper procedures in how to act appropriately.

Focus on the User

While in general most companies have some form of software to defend against attacks reaching users, some form of awareness, and something that resembles policies and procedures, these efforts are uncoordinated and haphazard. There is no focused effort to stop specific attacks or user actions.

To address this concern, what is required is a position that I call the human security officer (HSO), who is responsible for specifically identifying the different attack vectors and vulnerabilities involving people. The HSO examines where problems may arise and identifies the optimal ways to prevent, detect, and respond to the attacks or user actions.

Some people may contend that this is the job of the CISO or perhaps an awareness manager. The reality is that awareness people have a very specific role and focus on providing information to people in an attempt to get them to improve their security-related behaviors. The awareness team does not have the responsibility -- and especially not the authority -- to account for all aspects of preventing and mitigating vulnerabilities. The awareness team should report to the HSO. Full article here:
New SANS newsletter OUCH! December: “Yes, You Are a Target”

SANS said: "We are excited to announce December's edition of the OUCH! newsletter - “Yes, You Are a Target”. We explain why you are a target, how you and your accounts have value and just as importantly what you can do to protect yourself. As always OUCH! newsletter is translated in over 20 languages. Download and share OUCH! with family, friends and co-workers. You Are a Target:
What KnowBe4 Customers Say

"Hi Stu – Thanks for the email. I am happy to report that I am a very happy camper – but I wasn’t just a few short months ago, I started noticing that our users were susceptible to just about any type of cyber-attack you could image. From general spam and phish emails to spear-phishing and emails with viruses. To see how bad it was, I create a Google email address, a Google form, and sent it to all of our employees. I was able to get the emails and passwords for 16 people here! With only 120 staff with email addresses, that is an alarming number (1 is enough to do damage, but 16??!!). We purchased your product within a week, and rolled out fundamentals training and the phishing game. The staff commented on how good the training was and that they found it very engaging and informative.

I then created a phishing campaign using your software (so much easier than manually sending out all of those Google forms 1 by 1), to see if our staff actually learned anything. Out of 119 emails, only 5 people clicked on the link and no one filled out any information. That is a pretty amazing improvement, especially since our workforce is skewed towards the older side and not tech savvy at all.

The sales process was also very easy, and your customer support is excellent. Casey Woodruff is an asset! She should get the employee of the month parking spot for sure. Thanks for checking in, I appreciate it."
- I.J. Director of IT

"Thanks for the follow-up. Yes I am a "happy camper". The training and phishing service is what we expected however what has made it even better is the reporting and data available for both as well as the Email Exposure Check. We had not experienced anything like this from our prior security training provider.

It is refreshing. We are also thrilled with the availability and variety of training modules. When a topic comes up our first reaction is let's see what KnowBe4 offers and generally it's there. we are having a great experience.

I wish you, your family and the team at KnowBe4 the best of Holidays.
L.L. - Chief Technology Consultant

PS, If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
Live in Europe? KnowBe4 Wants to Know What Keeps You up at Night!

IT Pros today have lots of security concerns such as ransomware, external attacks, data breaches and compliance mandates. Some issues you have locked down tight, while others are making you crazy!

We want to know what aspects of IT security you have covered, and which ones have you worried sick!

In this fast, 5-minute online survey, we want to hear about what issues are of great concern to you and your organization.

Hurry and take the survey now - be one of the first 500 to take the survey and have a chance to win one of several 500-dollar Amazon gift cards! (or equivalent in your local currency)

The 10 Interesting News Items This Week
    1. That was fast! Bad Guys Are Using The Marriott Breach For Phishing Attacks:

    2. NVIDIA Creates First Artificial Intelligence Rendered Virtual World. (boots up Second Life)

    3. Phishing at centre of cyber attack on Ukraine infrastructure:

    4. More data joy: Email scammers are buying marks' info from legit biz intelligence firms:

    5. Exclusive: Clues in Marriott hack implicate China - sources:

    6. He's not cracked RSA-1024 encryption, he's a very naughty Belarusian ransomware middleman:

    7. U.S. Readies Charges Against Chinese Hackers:

    8. Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers:

    9. DHS Says SamSam Ransomware is Targeting Critical Infrastructure Entities:

    10. DeepPhish Project Shows Malicious AI is Not as Dangerous as Feared...Yet:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • Tom Cruise on Twitter: "I’m taking a quick break from filming to tell you the best way to watch Mission: Impossible Fallout at home." This is a strong argument against the Hi-Def TV Motion Smoothing feature, a modern day equivalent of "edited for full screen.":

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews