CyberheistNews Vol 9 #23 [Heads-Up] Red Flags Warn of Social Engineering

CyberheistNews Vol 9 #23
[Heads-Up] Red Flags Warn of Social Engineering

The easiest way to avoid falling for scams and other social engineering attacks is to have an understanding of the tactics employed by attackers, according to KnowBe4's Roger A. Grimes, writing in CSO. Grimes outlines some of the most common scams and points out the warning signs that are usually present in these schemes.

One of the most common signs of a scam is the use of “stressor events,” which play on the victims’ emotions to make them act irrationally. There are a wide variety of stressor events, ranging from the mild to the extreme. Scammers can simply try to rush you by claiming that the deal will be called off if you don’t act soon, or they can threaten you with arrest or worse if you don’t pay them quickly. They can also be used as excuses on the scammer’s side, such as a sudden family tragedy affecting their ability to send or receive a transaction.

Additionally, you should be suspicious if a person is difficult to contact, is unwilling or unable to speak on the phone or meet in person, or comes up with excuses to induce you to send or receive money in an unconventional way. For example, whenever someone asks you to pay them in gift cards, don’t: you’re being scammed. This seems obvious and easily avoidable, but many people still fall for it.

Grimes emphasizes that people don’t fall for scams because they’re stupid. Their ability to resist scams depends primarily on their having knowledge of the scams themselves.

“Don’t shame victims into thinking that they were dumb or a patsy,” Grimes writes. “Intelligence has nothing to do with it. The deciding factor whether someone can be scammed is awareness of the scam presented to them.... The number one scam defense is awareness education. Banks are doing it. Employers are doing it. Craigslist is doing it. Many people and businesses try their best to inform people about the various scams.”

Most scams are surprisingly easy to spot once you know how they work. New-school security awareness training can teach your employees about these techniques so that they can recognize and resist social engineering attacks. CSO has the story:
[Live Demo and Q&A] Simulated Phishing and Security Awareness Training

Old-school awareness training does not hack it anymore. Your email filters have an average ~10% failure rate; you need a strong human firewall as your last line of defense.

Join us tomorrow, Wednesday, June 5 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
  • Identify and respond to email threats faster. Enhance your incident response efforts with the PhishER add-on!
Find out how 25,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, June 5 @ 2:00 pm (ET)

Save My Spot!
A Single Tweet Saw One Woman's Bank Account Entirely Wiped Out

Dean Dunham at The Mirror in the UK reported: "Social media is often disgruntled customers first port of call when they want to make a complaint about goods or services these days, but after hearing Andrea’s story this week I would urge caution when doing this.

Andrea from Milton Keynes had a shock last month when she discovered that her bank account had been cleared out by fraudsters.

This was devastating news and left Andrea desperately short of money. Whilst she was assured that she would be reimbursed the money by her bank, it was explained that this would have to go through a process and could take up to two weeks.

She therefore decided to obtain a short-term loan to tide her over. To her horror she was refused, on the basis that she already had three loans and was in default on all of them.

Andrea did not understand this as she had not taken out any loans. Crooks took out loans in her name as well as emptying her account. However, it soon became clear that her identity had been stolen and that fraudsters had taken out loans in her name. After some investigation it became clear what had happened." Story:
[Live Webinar featuring Kevin Mitnick] A Look Behind the Curtain: Open Source Intelligence (OSINT) Hacking Data Sources That Bad Guys Use!

Ever wonder how hackers, spies, and con-artists gather such detailed and convincing intel on their targets? Kevin Mitnick, the world's most famous hacker and KnowBe4's Chief Hacking Officer, knows.

The truth is that it is shockingly easy to gather detailed intelligence on individuals and organizations. Everything the bad guys need to specifically target your end users is out there for the taking. Banking and credit card accounts, driver's license numbers, geolocation details and even IT secrets can be found easily and through public resources! There’s even a name for it: Open Source Intelligence (OSINT).

Join us for this mind-blowing webinar where, Kevin and Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, will give you an inside look into some of Kevin’s most prized, underground OSINT secrets and how the bad guys use those techniques to target your users and your organization.

Find out what to watch out for and learn how to strengthen your end-user “human firewall” against OSINT-fueled attacks before it's too late!

Date/Time: Wednesday, June 12 @ 2:00 pm (ET)

Save My Spot!
[Policy Template] Should Failing Phishing Tests Be a Fireable Offense?

Firing employees for failing phishing tests can be extremely counterproductive and can damage an organization’s overall security posture. That, at any rate, is what two security experts told Brian Krebs recently, and we agree with them.

Companies sometimes think punitive policies will make employees take phishing more seriously, but these policies actually discourage cooperation and openness. It is much more productive to reward desired behavior.

John LaCour, founder and CTO of PhishLabs, told Krebs that punishment isn’t an effective response to failed phishing tests because it makes employees feel they’ve been manipulated.

“It really demotivates people, and it doesn’t really teach them anything about how to be more diligent about phishing attacks,” LaCour said. “Each phishing simulation program needs to be accompanied by a robust training program, where you teach employees what to do when they see something phishy. Otherwise, it just creates resentment among employees.”

Punishing Employees Has Negative Security Repercussions

In addition to creating an unhealthy work environment, punishing employees for failing phishing tests will have negative repercussions for your organization’s security. When an employee does fall for a phishing email, whether real or simulated, the most important thing they can do is report the incident so that the attack can be mitigated. Rohyt Belani, CEO of Cofense, said that organizations should have training programs that encourage employees to report failed phishing tests.

“So what happens a lot of times is a person may click on link in a real phishing email, and three seconds later realize, ‘Oops, I shouldn’t have clicked, let me report it anyway’,” Belani told Krebs. “But if that person knew there was a punitive angle to doing so, they’re more likely not to report it and to say, ‘You know what, I didn’t do it. Where’s the proof I clicked on the link?'”

LaCour says that positive reinforcement and recognition is a key element in improving employees’ phishing resistance. He said that posting the scores for each department’s phishing tests can make employees take the tests seriously and improve cooperation. He added that small rewards and lighthearted penalties, like having the lowest-scoring department buy lunch for everyone, can also help by making it feel like a good-natured competition.

An organization’s employees are its most important assets, and they need to be treated fairly and with respect. However, employees that are chronically click- happy become an active liability for your network security. New-school security awareness training can build a culture of security within your organization by providing education programs that are effective and make your employees feel valued.

Part of that fair treatment is a published security policy—which hundreds of organizations use today—to create a clean, clear, level playing field with known consequences for repeated click behavior. Here is a "find/replace" Policy Template Doc that you can use for your own organization:
Find out Which of Your Users' Emails Are Exposed Before the Bad Guys Do

Do you know how big your email attack surface really is? Open Source Intelligence (OSINT) is the collection of information from public sources on the Internet that both red teams and bad guys use to craft convincing phishing attacks.

A good IT security best practice to address the ongoing problem of social engineering using OSINT is to conduct quarterly email attack surface checks and find out what info about your users is available.

Find out which of your users' emails are exposed before the bad guys do. Many of the email addresses and identities of your organization are exposed on the internet and easy to find for cybercriminals. Our Email Exposure Check Pro (EEC) identifies the at-risk users in your organization.

Your Email Exposure Check Pro Reports:
We will email you a summary report PDF of the number of exposed emails, identities and risk levels found. You will also get a link to the full detailed report of actual users found, including breach name and if a password was exposed.

Getting your EEC Pro is no-charge and will only take a few minutes. It is often an eye-opening discovery.

Get Your Report Now:

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Next week you will get a CyberWire Special Issue, fully written by the CyberWire Team!!
Quotes of the Week
"The direction in which education starts a man will determine his future in life."
- Plato, Philosopher (427 - 347 BC)

"If you do not change direction, you may end up where you are heading."
- Lao Tzu, Philosopher (604 - 531 BC)

Thanks for reading CyberheistNews
Security News
Social Engineering Impersonation Attacks Increased 67%

Social engineering attacks using impersonation tactics increased by 67% over the past twelve months, according to Mimecast’s annual State of Email Security report. Mimecast surveyed more than a thousand organizations around the world and found that 94% of them had been targeted by phishing attacks in the past year.

More than half of the organizations said these attacks were increasing, and 41% observed a rise in internal malicious emails due to compromised accounts. The spike in impersonation attacks is the report’s most striking finding. These attacks can be highly targeted, as in the case of business email compromise scams. They can also use the branding of well-known companies and services to increase the efficiency of widespread phishing campaigns. Of the organizations who were affected by impersonation attacks, 73% experienced losses of customers, money, or data.

Mimecast’s press release states that “social engineering attacks are a rising concern for organizations because they’re often one of the most difficult to control.” As security technologies get better at blocking automated phishing campaigns and off-the-shelf malware, attackers are increasingly relying on social engineering to make their attacks more effective. New-school security awareness training can create a culture of security within your organization to help your employees defend against these attacks. GlobeNewswire has the story:
What Is This New Tactic Called "Password Spraying"?

Citrix last month confirmed the FBI’s suspicions that hackers had used a technique known as “password spraying” to compromise the company’s networks before stealing a massive amount of sensitive information. Password spraying is a type of brute force attack in which attackers test one weak password against many of an organization’s accounts before moving on to the next password and cycling through the accounts again. Since a reasonable amount of time passes before they attempt to log in to the same account again, the hackers can avoid being locked out for too many failed logins.

Amit Rahav says in Infosecurity Magazine that the Citrix hack is just one of many examples showing that passwords used by themselves are inadequate for security. If just one employee at a targeted organization is using a weak or commonly used password, attackers will likely breach their account.

Password spraying and other account hijacking schemes, such as credential stuffing, are increasing in popularity. If users haven’t implemented proper security measures, including multi-factor authentication, then their accounts are growing more vulnerable by the day. New-school security awareness training can teach your employees how to follow security best practices without causing them undue stress. Infosecurity Magazine has the story:
"Delete" Notification as Phishbait

Attackers are posing as Office 365 support in emails that warn users about an “unusual volume of file deletion” on their accounts, BleepingComputer has found. The emails claim that a medium-severity alert was triggered by fifteen file deletions within five minutes. If victims click on the link to view the alert’s details, they’ll be taken to a spoofed Microsoft login page.

The attackers will then collect their credentials before forwarding them to the legitimate Microsoft login portal. A notable feature of this campaign is that the phishing pages are hosted on Microsoft’s Azure cloud services, so the URLs end with “” As a result, even users who know that they should inspect the top-level and second-level domains of the URL could still fall for the scam.

Azure-hosted sites are also secured with Microsoft SSL certificates, increasing the appearance of authenticity. Researchers have discovered hundreds of phishing sites hosted on Azure and other cloud services in the past month. While Microsoft takes these sites down as quickly as it can, the sheer volume of malicious domains means that attackers usually have several days to carry out their attacks.

Additionally, when their sites are shut down, they can easily set up more. New-school security awareness training can give your employees up-to-date knowledge of the evolving techniques and technologies being used in phishing campaigns. BleepingComputer has the story:
Phishing Canadian Targets

We have recently blogged about KrebsOnSecurity's story on compromised Canadian business email addresses. Here is some updated background on threats to Canadian organizations.

Since January 2019, nearly one hundred phishing campaigns have been tailored specifically for Canadian targets, according to researchers at Proofpoint. Attackers are spoofing a number of well-known Canadian companies and organizations, and are using French-language phishing lures to increase their chances of tricking Canadian victims. Most of these campaigns are run by financially motivated criminals, although some are launched by nation-state actors.

The two most common malware strains used in these campaigns are Emotet and Ursnif, both of which are banking Trojans used to steal information and deliver additional malware. Other types of malware targeting Canada include banking Trojans like IcedID, Trickbot, and Dridex, the GandCrab ransomware, and the Formbook keylogger. The Proofpoint researchers stress that the rise in targeted Emotet attacks is particularly notable, and should serve as a warning to Canadians that they need to be on the lookout for more than just generic phishing spam.

“In 2019, threats specific to Canadian interests, whether abusing Canadian brands, or affecting Canadian organizations through specific geo-targeting mean that defenders at Canadian companies must be cognizant of threats far more targeted than ‘North America,’” the researchers write. “Banking Trojan and the Emotet botnet lead the pack, creating risks for organizations and individuals with compelling lures and carefully crafted social engineering.

While Canada-targeted threats are not new, Emotet in particular, with its frequent region-specific email campaigns, is bringing new attention to geo-targeting in Canada and beyond.” These targeted phishing campaigns are in addition to hundreds of other untargeted campaigns that have impacted Canada this year. Users need to be constantly vigilant in order to identify attackers’ attempts to deceive them. New-school security awareness training can give your employees the knowledge they need to defend themselves against these attacks. Proofpoint has the story:
What KnowBe4 Customers Say

"Yes, very happy camper. Your product is very professional, rich content and I’m getting amazing support from Craig Hyla. He’s been doing an excellent job of guiding me through the entire process – awesome!!

As for the product/service, we went with 2019 KnowBe4 Security Awareness Training and it was well received. Our next step is to do follow up phishing campaign with training for clickers. I’ve put a few posters but will look for more and maybe some pamphlets I can place in the cafeteria.

Only negative is people are now paranoid to open legit emails coming from 3rd parties asking for actions (e.g. HR has signup email sent from legit vendor, etc.). To be honest, I’m happy they are on guard and a little paranoid. It’s the world we live in these days." Many thanks!!
M.M., IT Director

"I’ve been a customer of KnowBe4 for over 3 years and a daily listener to the CyberWire. I just recorded an episode with Dave about the importance of education when dealing with Business Email Compromise. As you might recall, Stu, I won the Lemon Shark award at KB4-Con for the Best User Story.

I wanted to drop a note to let you know how valuable both of your services are to the industry and how much I appreciate the relationship between them. I enjoyed the live Cyberwire podcast at KB4-Con and thought the pairing was excellent. I also appreciate that KnowBe4 sponsors the Cyberwire’s great work and wanted to thank you for doing so because it actually helps me.

When people at my organization don’t know who KnowBe4 is by name, it was helpful that your name was heard on the Cyberwire and it gave confirmation that having KnowBe4 as a partner is significant, just as others who sponsor the Cyberwire, like Crowdstrike, Observe It, Cylance, Carbon Black, Juniper and other well-known brands. Now KnowBe4 is one of those well-known brands, too.

Thanks for giving me a moment to express my appreciation to both of you and the great work you support together."
S.A. CISSP Director of IT
The 10 Interesting News Items This Week
    1. KnowBe4 Is UK's Security Training and Consultancy Provider of the Year:

    2. Should Failing Phish Tests Be a Fireable Offense? The post that inspired the Editorial this week:

    3. Most IT security failures occur because cyber criminals know the psychology of human nature and how to exploit it:

    4. Russian military moves closer to replacing Windows with Astra Linux:

    5. Too Much Information: 2.3 Billion Files Exposed Across Online File Storage Technologies:

    6. Turla APT group beefs up cyber attack tool:

    7. Docker Bug Allows Root Access to Host File System:

    8. Flipboard hacks prompt password resets for millions of users:

    9. When it comes to email-based threats, Emotet dominates:

    10. OUCH: Security Platform Leaking Extensive Hotel Security Logs, Including Marriott Properties:
Prepared in cooperation with the CyberWire research team.
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • And here is how these Starlink Mission 60 satellites are launched in a stack like a block of legos Starting at 1:15:30 min the stack is shown and then deployed in the remaining 4 min:

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews