CyberheistNews Vol 9 #17 [Heads-Up] Slippery Phishing Attack Spoofs Email Security Firm

CyberheistNews Vol 9 #17
[Heads-Up] Slippery Phishing Attack Spoofs Email Security Firm

There is a nasty new way that the bad guys are trying to establish trust: spoofing the return path and received email headers of Barracuda in an attempt to steal O365 credentials. Email security firm GreatHorn had the scoop on this attack.

So how did it happen?

“The attackers crafted the received headers so that it appears to have gone through multiple 'Barracuda' steps, before sending the email via a server designed to look like a Barracuda server." Among the phishing emails sent in this case was one purportedly coming from “Email Quarantine.” It included the message-id:

GreatHorn continued: "The attack “exploits a well-known security flaw in Google and Microsoft’s handling of authentication frameworks such as DMARC. While an organization can dictate how it wants DMARC failures and exceptions to be handled, Microsoft Office 365 typically ignores those directives and, at best, treats them as spam or junk instead of quarantining or rejecting them, making it more likely for the user to interact with such spoofs.”

You could easily see this attack replicated with another security company.

GreatHorn says it discovered the attack last Thursday, then found a subset on Friday. The firm concludes: “While the spoofing victim in this case was Barracuda, you could easily see this strategy replicated using any other well-known security company to try and trick more savvy users.”

Yikes. Could be Symantec, McAfee, or even KnowBe4. Keep your admin security awareness level set at HIGH!

Continued with links to greater technical detail and screenshots at:
Is Managing Your Vendor Risk Taking up Too Much of Your Time?

You told us you have challenging compliance requirements, and keeping up with risk assessments is a continuous problem.

Good news! We are excited to announce we have expanded our new KCM GRC product with the new Vendor Risk Management module.

KCM now includes four modules: Compliance, Policy, Risk and Vendor Risk. Now, you can effectively and efficiently manage risk and compliance within your organization and across your third-party vendors, while gaining insight into gaps within your security program.

The new KCM GRC platform helps you get your audits done in half the time, is easy to use, and is surprisingly affordable. No more: "UGH, is it that time again!"

KCM GRC simplifies the challenges of managing your compliance, risk, and audit projects, enables you to efficiently manage GRC initiatives, and understand at a glance what items need to be addressed.

Get a first look at the new Vendor Risk Management module.

Watch this 8-minute on-demand product demonstration for a first look at the new Vendor Risk Management module. See how you can simplify the challenges of managing your compliance requirements and ease your burden when it’s time for risk assessments and audits.
  • Keep track of third-party vendor compliance requirements, services they provide, and what data they have access to in one centralized repository
  • Vet, manage, and monitor your third-party vendors’ security risk requirements
  • Streamline vendor assessments with automated workflows and campaigns
  • Ensure standard and consistent assessments with pre-built managed vendor assessment templates
See how you can get audits done in half the time at half the cost!

Watch This 8-min Demo Right Now and Learn How You Can Save Days of Work:
[SCAM OF THE WEEK]: Notre Dame Disaster Causes Firestorm of Social Engineering and Misinformation

The Notre Dame Cathedral in Paris caught fire and was barely saved from total destruction. Millions of people visit every year and hundreds of millions feel a powerful, and personal, sense of connection to it. I visited it myself quite a few times when I lived four years in Paris.

Seeing the cathedral burn was a tragedy, and the bad guys were faster than ever to leverage it into misinformation and social engineering.

One Twitter account stated that the fire was the work of terrorists, and another misrepresenting itself as Fox News posted a fake quote from a Muslim congresswoman allegedly saying “they reap what they sow.” (She said no such thing.) CNN Politics was also spoofed. Here is an example screenshot that buzzfeed exposed as a fake, and a ready-to-copy-and-paste blurb to send to your users:
Identify and Respond to Email Threats Faster With PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic... can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a new product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us TOMORROW, April 24th at 2:00 pm (ET), for a live 30-minute demo of the new PhishER platform. With PhishER you can:
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team.

Date/Time: TOMORROW, April 24th at 2:00 pm (ET)

Save my Spot!
[Heads-Up] Your Email Security Vendor Will Never Admit It, But...

Depending on the product, they have an average 7-15% failure rate. And it's not us saying that, it's them! They monitor each other's products and frequently report on their competitors unacceptably high failure rates. Whatever the actual numbers are, too many malicious emails make it through your filters and you need a strong human firewall as your last line of defense! Old-school awareness training does not hack it anymore.

See Ridiculously Easy Security Awareness Training and Phishing

Join us on Wednesday, May 1st @ 2:00 p.m. (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization
  • Advanced Reporting on 60+ key awareness training indicators
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes
  • Identify and respond to email threats faster. Enhance your incident response efforts with the PhishER add-on!
Find out how 24,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, May 1st @ 2:00 pm (ET)

Save My Spot!
I Need Your Input and I've Got a One-Question Super Short Survey!

Are you lacking a (free) tool that gives you more insight about social engineering risks that your users are exposed to? Please describe it so that we can build one! Here is the Surveymonkey link:

PS: If you don't like to click on redirected links, please Copy & Paste the link into your browser

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Affection is responsible for nine-tenths of whatever solid and durable happiness there is in our lives." - C. S. Lewis

"We hold these truths to be self-evident: that all men are created equal; that they are endowed by their Creator with certain unalienable rights; that among these are life, liberty, and the pursuit of happiness." - Thomas Jefferson

Thanks for reading CyberheistNews
Security News
A GA County School System Only Just Escaped a Two Million Dollar Cyber Attack

Armor, a leading global cloud security solutions provider, read the news about a recent cyberattack, where hackers targeted the payroll department of the city of Tallahassee, FL and absconded with almost $500,000 dollars. Armor’s Threat Resistance Unit (TRU) began digging to find if there had been other similar-style attacks in recent months. They found that a series of cyberattacks, targeting payroll departments and payroll services had transpired.

Armor’s TRU team discovered that three payroll-related cyberattacks have occurred between February and April 2019 in the southeastern U.S. Interestingly, these incidents came on the heels of the massive "Collection #1" data dump discovered in January 2019.

TRU’s analysis of the Collection #1 data revealed that amongst the almost 773 million unique email addresses and passwords were the email credentials and plain-text passwords for over 240 payroll departments from apparently at least 240 different organizations.

While Armor is not aware of any connection between these payroll-related attacks, the incidents follow a September 2018 warning from the FBI's Internet Crime Complaint Center (IC3) that cybercriminals are targeting the online payroll accounts of employees in a variety of industries to include education, healthcare and commercial airway transportation.

According to the IC3, these attacks use phishing emails to steal employee login credentials. Armed with these credentials, the attackers can access employee payroll accounts and modify account settings to prevent the employees from receiving alerts about changes made to their payroll direct deposit status. Direct deposits destinations are then changed as the payroll deposits are redirected to accounts controlled by the cybercriminals, often in the form of prepaid cards.

These security incidents serve as a stark reminder to organizations to stay on top of the latest cyber threats ?including managing risks posed by third-party vendors and partners. Below are some suggested mitigations from Armor.

9 Security Tips for Protecting Against Payroll-Related Cyberattacks:
Here Are Few Game of Thrones Phishing Scams You Should Know About and How to Avoid Them

With the Game of Thrones (GoT) Season 8 finally airing, bad guys are using a variety of social engineering tactics to trick your end-users.

GoT is now being claimed to be one of the major source of malware infections for PCs across the globe.

A report by Kaspersky Labs recently revealed that hackers extensively used malware disguised as episodes of GoT to infect computers.

Checkpoint researched how many websites are using GoT phishing to scam users and steal their data, and found that there are now dedicated websites that use the official branding of the show and claim to run official competitions to win a special gift pack of GoT merchandise. There is, however, no such prize and the site instead collects as many email and mobile phone details as possible that could possibly be used in future phishing campaigns.

During its research Checkpoint also found bogus "official Game of Thrones merchandise" sites that collect credit card details of users and deliver...nothing. And then there are the fake torrent sites that promise the next episode and deliver malware instead. Warn your users to not fall for these scams.
A Mystery Agent Is Doxing Iran's Hackers and Dumping Their Code

Alyssa Foote at WIRED wrote: "NEARLY THREE YEARS after the mysterious group called the Shadow Brokers began disemboweling the NSA's hackers and leaking their hacking tools onto the open web, Iran's hackers are getting their own taste of that unnerving experience.

For the last month, a mystery person or group has been targeting a top Iranian hacker team, dumping their secret data, tools and even identities onto a public Telegram channel—and the leak shows no signs of stopping.

Since March 25, a Telegram channel called "Lab Dookhtegan" or "Read My Lips" has been systematically spilling the secrets of a hacker group known as APT34 or Oilrig, which researchers have long believed to be working in service of the Iranian government.

So far, the leaker or leakers have published a collection of the hackers' tools, evidence of their intrusion points for 66 victim organizations across the world, the IP addresses of servers used by Iranian intelligence, and even the identities and photographs of alleged hackers working with the OilRig group. Continued here, with link to full WIRED article:
Social Security Scam Update

The Social Security scam we mentioned last week is proving to be extremely successful, according to CBS News. The Federal Trade Commission (FTC) says that 76,000 people have reported the scam, which tries to take advantage of victims’ misunderstandings about Social Security numbers.

According to the FTC, this scam has surpassed the popular IRS tax scam. That scam collected $17 million in its best year, while the Social Security scam is already past $19 million in its first year.

“What we have are scammers who have decided that it's too recognizable to pretend to be the IRS anymore,” Monica Vaca from the FTC told CBS News. “They know that they can't get away with that nearly as easily. So they've come up with a new angle, a new twist. Something people aren't expecting.”

Wayne Chertoff, one of the scam’s victims, told CBS that he received a call from a woman who told him someone in Texas was using his name and Social Security number to send thousands of dollars to Mexico and Columbia, and that there was a warrant for his arrest. The woman told him he needed to buy $1,400 worth of Google Play cards and then read the codes to her over the phone.

Chertoff did so, under the impression that he would get the money back. He didn’t realize he’d been scammed until the next day, when no one called him back. “One thing led to another and now I'm sitting here,” he said.

These scams are easy to avoid if people know what to expect and how to detect them. New-school security awareness training can help your employees resist these types of scams by teaching them about common tactics used by scammers. CBS News has the story:
What KnowBe4 Customer Say

"Hi Stu, thanks for reaching out. Yes, the KnowBe4 service is working out very well. The baseline phishing test was very successful; eye opening rather. Training has also started off well. We’re working out some technical issues of users who are overdue on training not being able to access the training to finish, but we are actively working on this with tech support.

All-in-all we are very satisfied with the KnowBe4 service and the awareness our end users are achieving."
- H.W., Head of R&D Ops and IT

"Good morning, I thought you may like some additional feedback. The biggest complaint is 'Oh no, not another awareness training' and I really do have to agree. We have never been able to get above 80%, most is between 40% to 60%.

But the great news... The video series “The Inside Man” is a huge hit. Everybody that is watching it sees much more value and they are looking forward to the next episode. I have a new episode drop every Monday.

Comments are “Like a mini Netflix”, it draws you in. The chatter is who are they rooting for. Figuring out the Why. One comment, at the end a few more takeaways and we hope the quality is maintained for the future. Thanks for the video!"
- M.D., Security & IT Operations
The 10 Interesting News Items This Week
    1. China Is Spying On Undersea Internet Cables, Just Like The Five Eyes Do:

    2. 6 Ways To Fight "Deploy And Decay":

    3. Fortune Magazine: How And Why KnowBe4 Got An 800+ Million Valuation:

    4. [InfoGraphic] 56 Must Know Data Breach Statistics for 2019:

    5. New Legal Podcast Commenting On Cofense Forced Sale After Russian Money Problems:

    6. Mueller report: Russians gained access to Florida county through spear phishing:

    7. How Not to Acknowledge a Data Breach. The Wipro dumpster fire:

    8. The Wipro Breach: Why Managed Service Providers Are At Risk:

    9. Malware Authors Have Already Won the Iron Throne:

    10. The State of the Station. A report on hackers in the energy industry:

    11. BONUS: Cisco Talos says state-sponsored attackers are battering DNS to gain access to sensitive networks and systems:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • I drive a Model S P100D, but Tesla Model 3 is now available to lease for a small down payment and competitive monthly payments. The Model 3 is affordable and a total blast to drive. Here is my referral code:

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews