CyberheistNews Vol 9 #2 "10 Incredible Ways You Can Be Hacked Through Email & How to Stop Them"

CyberheistNews Vol 9 #02
"10 Incredible Ways You Can Be Hacked Through Email & How to Stop Them"

I've got something you want to see. Email is still the #1 attack vector the bad guys use. A whopping 92% of malware is delivered by email, but email hacking is much more than phishing and launching malware!

Join Roger A. Grimes, KnowBe4's very own Data-Driven Defense Evangelist and security expert with over 30-years of experience. In this brand new webinar he will explore 10 ways hackers can and do trick your users into revealing sensitive information or executing malicious files. Plus, he'll share a new (pre-filmed) hacking demo by KnowBe4's Chief Hacking Officer Kevin Mitnick.

Roger will teach you:
  • How silent malware launches, remote password hash capture, and rogue rules work
  • Why rogue documents, establishing fake relationships and getting you to compromise your ethics are so effective
  • Details behind clickjacking and web beacons
  • Actionable steps showing how to defend against them all
If all you were worried about was phishing attempts, think again. Join Roger at:

Date/Time: Wednesday, January 16th at 2:00 pm (ET)

Save My Spot!
Your New Year's No. 1 Resolution: "Get Board Air Cover for Cybersecurity"

In 2019, we're all going to be confronted with new ways bad guys have figured out to hack our networks and our users. Your board has the job to prevent impact on both your business reputation and shareholder value.

Your strategy for 2019 should be to get as much air cover as possible from your board, and one of the most successful tactics to get there is to educate and enlighten them as much as possible about the risks.

For 2019, they need to understand that cybercrime will get more sophisticated, that ransomware will get more expensive and targeted (just see the latest RYUK attacks) that all kinds of devices hooked up to the network are insecure by design, but that employees can be successfully transformed into a human firewall which is a strong last line of defense.

Educating your board is one of the most productive things you can do to secure your network. That's why KnowBe4 created the Executive Series Micro Modules:
  • Executive Series: Social Engineering the Executive - 2 mins
  • Executive Series: Ransomware and Bitcoin - 4 mins
  • Executive Series: Decision-Maker Email Threats - 4 mins
  • Executive Series: Remote and Travel WiFi Dangers - 3 mins
  • Executive Series: Social Media Precautions for Executives - 3 mins
  • Executive Series: Safe Web Browsing With Corporate Devices - 3 mins
  • Executive Series: Secure Destruction of Sensitive Information - 2 mins
  • Executive Series: Mobile Device Security - 3 mins
  • Executive Series: CEO Fraud - 3 mins
  • Executive Series: Securely Working From Home - 2 mins
Anyone can spend 2-4 minutes per week to step though these, and the feedback has been very good.

Your board also will need to come to grips that legislation will fall behind even further, and what will come out might not be very effective at best or be another burden at worst. Last but not least, supply chains are a vital part of many organization’s operations, but have become another attack vector that needs to be mitigated. It boils down to the simplicity that they need to be educated so that they can see the risks and release the budget you need.

Get no-charge access to the KnowBe4 Modstore and show a few of these modules to your C-level execs and Board:
Don't Miss the January Live Demo: Simulated Phishing and Awareness Training in Action

Old-school awareness training does not hack it anymore. Your email filters have an average 10.5-15% failure rate; you need a strong human firewall as your last line of defense.

Join us for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
    • NEW Identify and respond to email threats faster. Enhance your incident response efforts with the brand-new PhishER add-on!
    • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
    • Advanced Reporting on 60+ key awareness training indicators.
    • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
    • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.

    • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 23,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, January 9th at 2:00 pm (ET)

Save My Spot!
International Legal Tech Association: "KnowBe4 Is The Biggest Winner in Awareness Content"

The International Legal Technology Association is the largest peer-driven association for technologists in the legal field.

The ILTA's most prestigious publication each year is their annual Technology Survey. It provides substantive data against which you can benchmark your organization's technology implementations and future plans.

The recent 2018 survey reports the input of 481 firms representing more than 92,000 attorneys and 188,000 total users. We know you'll benefit from a review of the full analysis, priced at $500 for members, but the Executive Summary is a free download, no registration required.

When we had a look, to our great surprise, KnowBe4 was mentioned on page 10 where they wrote:

"With increasing resources focused on a robust security portfolio... how do IT departments juggle the workload?

"Two answers that seem to bubble up in every iteration of this survey are simplification and efficiency. One example would be purchasing a security awareness training program, rather than building it every year. The need to keep this material interesting and relevant necessitates an annual refresh and some significant creativity, which can consume cycles in the training department.

"The obvious solution is to tap into one of the many security and training vendors for material, signage, creative ideas and even online content that can be delivered individually or via a Learning Management System (use of these LMS platforms jumped 4 points this year.)

"Although the number of firms reporting that they develop training content in-house jumped eight points on this survey, the number of firms developing security awareness content in particular has fallen 49 points over the last four years! The biggest winner in packaged security awareness content is KnowBe4, which jumped 15 points since last year and 35 points over four years."

We are thrilled to see our exponential growth in the legal profession! The blog post has the link to the free Exec Summary download and the graphic showing the expansion:
Live Demo: KCM GRC - Get Your Audits Done in Half the Time

KCM GRC simplifies the challenges of managing your compliance, risk, and audit projects enabling you to efficiently manage GRC initiatives, and understand at a glance what items need to be addressed.

Join us on Tuesday, January 15th at 1:00 PM (ET), for a 30-minute live product demonstration of the new KCM GRC platform from KnowBe4. See how you can simplify the challenges of managing your compliance requirements and ease your burden when it’s time for risk assessments and audits.
  • NEW Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Tuesday, January 15th at 1:00 pm (ET)

Save My Spot!

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: I'm super excited about the PhishER release. It's a brand-new KnowBe4 product that helps your team prioritize and manage potentially malicious messages reported by your users. Identify and respond to email threats fast!
Quotes of the Week
"Learning never exhausts the mind." - Leonardo da Vinci, Painter, Sculptor, Architect, Musician, Mathematician, Engineer, Inventor, Anatomist, Geologist, Cartographer, Botanist & Writer (1452 - 1519)

"The beautiful thing about learning is nobody can take it away from you."
- B. B. King, Musician (1925 - 2015)

Thanks for reading CyberheistNews
Security News
Facebook Hoax Convinces Users to Post a Status to Bypass Newsfeed Algorithm

Another viral Facebook hoax is claiming to let users bypass a Facebook algorithm that supposedly limits the number of friends that can see their posts, according to Lisa Vaas at Sophos. The posts claim that all you need to do is copy and paste the text into your own status to somehow disable Facebook’s algorithm.

Vaas previously wrote about this hoax last February, and points out that it’s much more difficult to shut down than other viral social media ruses because it gets users to post individual statuses rather than sharing a post. She also notes that Facebook confirmed to Snopes last year that its algorithm doesn’t limit content from friends.

While many users would see through this sham, the fact that so many people still fall for these things shows that a significant portion of the population is susceptible to basic online social engineering. Organizations that are concerned that their employees may fall victim to phishing or other types of social of social engineering should invest in new-school security awareness training, because real attackers will use methods far more sophisticated than those employed by Facebook hoaxes. Naked Security has the story:
A Culture of Security is Essential to Safeguarding Organizations

Cybersecurity is just one of three equally-important areas of security, alongside the physical and human elements, according to Freaky Clown, co-CEO and Head of Ethical Hacking at Cygenta. Carole Theriault interviewed Freaky Clown, or FC, for the CyberWire’s Hacking Humans podcast, where FC explained that if a company’s security is lacking in any one of these three areas, then the company can be infiltrated.

FC specializes in technical and physical pentesting for companies, including thousands of banks. In his twenty years of red teaming, he says he has a 100% success rate at physically infiltrating companies.

FC says the first stage in this process is performing reconnaissance. He’ll visit the site beforehand to get an idea of the layout, which can be obtained easily by snapping a photo of the fire map in the reception area. He’ll also take note of the way the employees dress.

FC stresses that it’s important to dress the part if you want to blend in with the people you’re infiltrating. “If you're going into, like, just a normal, everyday company, they're probably, you know, business casual,” he says.

“If you're going into, like, an investment bank, they're going to be in suits and ties.” FC adds that its best to minimize contact with the staff, because people will often leave him alone if he looks like he’s supposed to be there.

FC believes that a culture of security is crucial to ensuring that all facets of an organization are safeguarded: “It all falls apart, because if you spend, like, you know, a hundred million pounds on all of the technical controls on securing your company and you've put in loads of training for people, if I can still walk into your building and steal all the servers, it's all for naught.

And the same with any of those other bits. You can have Fort Knox, but if the people don't have the culture of security, then they'll let you through the gate. If those two parts are working, and your cybersecurity is terrible and people can just get in over the internet, then, again, you're kind of screwed.”

One of the best steps towards building a culture of security is through new-school security awareness training. This type of education can give employees a sense of the way attackers operate, making them far more likely to recognize suspicious activity. The CyberWire has the story:
A Phishing Scam Targeted Twitter Users in a Promoted Post

A phishing scam posing as a PayPal sweepstake event was posted as a promoted tweet on Twitter, according to Matthew Hughes at The Next Web. Hughes came across a tweet with a URL to a phishing site, along with a photo of a car, an iPhone, and PayPal’s logo.

The link took users to a spoofed PayPal login page. After providing their credentials, users are asked to enter their credit or debit card details.

While that’s no different from a run-of-the-mill phishing site, this scam stands out because the attacker used a paid promotion on Twitter to spread the tweet. Promoted posts on Twitter are generally assumed to belong to legitimate companies. There were a number of indicators that the phishing site wasn’t legitimate, particularly its suspicious URL.

However, the tweet’s promoted status may have led users to ignore those warning signs. Employees need to be able to identify suspicious URLs and websites in order to avoid falling victim to phishing attacks. The Next Web has the story:
Attackers Target Netflix Users With Phishing Emails

We began 2018 with a warning about a Netflix scam, and unfortunately there’s another one circulating to ring in 2019. Police in Ohio have identified phishing emails purporting to come from Netflix customer support, according to Colleen Tressler, a consumer education specialist at the Federal Trade Commission (FTC).

The email informs the user that their account is on hold, and recommends that they follow a link to update their payment details. If the user complies, their payment details will go straight to the attacker.

Tressler gives several tips for identifying and thwarting phishing scams. First, you should contact the company directly by calling the phone number listed on its website. Don’t rely on any contact information supplied by the email, and use a search engine to find the company’s website rather than clicking a link in the email.

Second, carefully examine the email for any grammatical errors or spelling mistakes, and note whether or not the email uses your name. In this instance, Tressler notes that “the scammer used the British spelling of ‘Center’ (Centre) and used the greeting, ‘Hi Dear.’” If any of these signs are present, the email should be treated with extreme caution.

It’s worth noting, however, that many phishing emails don’t have any visible indicators and sometimes will contain your real name. Attackers often go to great lengths to make their emails indistinguishable from the real thing. New-school security awareness training can give your employees the skills to identify sophisticated phishing emails. The FTC has the alert:
What KnowBe4 Customers Say

"Thank you, Stu for your follow up. So far so good. We just had 100% completion on our security awareness training. Look forward to more training and launching phishing program in coming weeks."
Regards, Y.N., CISO

"Hi Stu, Thanks for reaching out. My only regret is that we didn’t start using your service sooner. Your solution is great and the checklist gives us great guidance while accommodating our schedule."
Your happy customer, C.E., Sr. Director of IT Customer Applications

P.S. If you want to see KnowBe4 compared to other products in an objective, legit platform that makes sure the reviews are fully vetted, check Gartner Peer Insights:
The 10 Interesting News Items This Week
    1. 2019's First Data Breach: It Took Less than 24 Hours:

    2. Cloud Hosting Provider Battling Christmas Eve Ransomware Attack:

    3. How Enterprises Can Avoid the Ryuk Ransomware with Right Strategy:

    4. Data breaches affected more than a billion people in 2018:

    5. Apple Phone Phishing Scams Getting Better:

    6. Hacking for the holidays: Healthcare Ransomware Edition:

    7. Dark Overlord Hackers Threaten to Dump Insurance Files Related to 9/11 Attacks:

    8. How Hackers Stole $1B From Cryptocurrency Exchanges In 2018:

    9. US Dept. of Health and Human Services Releases Cybersecurity Guidance (PDF):

    10. Underminer exploit kit improves in its latest iteration:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews