CyberheistNews Vol 9 #25 [Heads-Up] The FBI Warns Against Phishing and Advises How to Spot Attacks

CyberheistNews Vol 9 #25
[Heads-Up] The FBI Warns Against Phishing and Advises How to Spot Attacks

The FBI's Internet Crime Complaint Center (IC3) released a PSA warning that attackers are exploiting people's trust in sites that use HTTPS. Cybersecurity training has in the past rightly encouraged users to look for the lock icon next to the URL in the browser, but many users still believe this icon is proof that the site they're on is legitimate.

While the lock is important, it only means that traffic to and from the site is private; it doesn't ensure that the site's operator is trustworthy.

The lock icon did carry more weight years ago, when getting an SSL/TLS certificate was a more difficult process, but these certificates are now free and can be acquired by anyone. Attackers are increasingly making sure that their phishing sites have authentic certificates to mimic legitimate websites.

The FBI advises users to be wary of requests in emails, even if they appear to come from known contacts. Scrutinize links carefully and "question the intent of the email content," rather than taking emails at face value. If you receive a suspicious request, "confirm the email is legitimate by calling or emailing the contact."

This type of diligence may add a few minutes to your day, but it's trivial compared to the damage that can be caused by falling for a phishing attack. New-school security awareness training can build a culture of security within your organization, so that your employees will recognize potential red flags out of habit.

IC3 has the alert, which is good ammo to send to your users, and remind them about the importance of THINK BEFORE YOU CLICK:
[June Live Demo] See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

Good news! We have expanded our KCM GRC product with the new Vendor Risk Management module. KCM now features four modules: Compliance, Policy, Risk, and Vendor Risk!

Join us TOMORROW, June 19 @ 2:00 pm (ET), for a 30-minute live product demo of KnowBe4's new KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements across your organization and third-party vendors and ease your burden when it's time for risk assessments and audits.
  • [NEW] Vet, manage and monitor your third-party vendors' security risk requirements
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
  • Quick implementation with pre-built requirements templates for the most widely used regulations
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due
Date/Time: TOMORROW, June 19 @ 2:00 pm (ET)

Save My Spot!
Alarming Tool Creates Deepfakes That Can Now Be Edited With a Text Editor

At our recent KB4-CON, Dr. Lydia Kostopoulos, Disruptive Technology Educator, gave us a demonstration of the latest in Deepfake technologies.

Now, Scientists at Stanford University, Princeton University, the Max Planck Institute for Informatics, and Adobe Research have demonstrated a new software platform that allows post manipulation of deepfake video with their software and a text editor. It produces frighteningly realistic deepfake video and gives us a chilling peek at the future of this technology and where it is headed unless we create and make available forensic synthetic video detection tools.

Yes, this has the capacity to be weaponized.

In evil hands, it can sow political and social chaos and spread disinformation on a wide scale. In the hands of scammers, deepfakes are going to be used in the social engineering tool kit by the bad guys for extortion purposes or possibly to try to manipulate crypto money markets, or stocks.

Over this weekend, a deepfake video of Mark Zuckerberg was posted on Instagram, with his words artificially manipulated. After viewing the refinements in this technology, I can see how a trained eye can spot the artifacts in the video. However, even this is good enough that it could fool most people.

The refinements in this new production technique make it very hard to determine a deepfake to the untrained eye and much easier to tweak deepfakes using a text editor (with the software) to rescript and perfect the lip synch. Of course to counter this, researchers will try to create deepfake AI detectors with hidden watermarks or signatures. However, as we've seen in cyber, there is always a whack a mole fight and one-upmanship between the good guys and the bad guys. The fight is likely continue at the AI level.

Discuss Deepfakes in KnowBe4's Hackbusters Forum Social Engineering category:
[Live Demo] Identify and Respond to Email Threats Faster with PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic... can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats and just as importantly effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us, Tuesday, June 25 @ 2:00 pm (ET), for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4's email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Tuesday, June 25 @ 2:00 pm (ET)

Save My Spot!
Canadian City Loses Half a Million to Phishing Attack

The City of Burlington, Ontario, revealed Thursday that it fell prey to "a complex phishing email" that cost the City CAD 503,000. Few details have yet been released. "To maintain the integrity of ongoing investigations, the City will not be commenting further at this time," it announced.

Although the City describes the incident as a phishing fraud, it bears all the hallmarks of the business email compromise (BEC) genre of phishing.

"On Thursday, May 23, the City of Burlington discovered it was a victim of fraud. A single transaction was made to a falsified bank account as a result of a complex phishing email to City staff requesting to change banking information for an established City vendor," the announcement reads. "The transaction was in the form of an electronic transfer of funds made to the vendor in the amount of approximately $503,000 and was processed on May 16."

Neither the name of the member of staff nor the department he or she worked in has been revealed, although it is clear his position is of enough seniority to authorize large payments on behalf of the City.

Burlington mayor Marianne Meed Ward commented, "This was a case of online fraud with falsified documents at a level of sophistication not typically seen and we are taking the necessary steps to prevent it from happening in the future. This stresses just how important it is that we are all vigilant and recognize the signs of online fraud, phishing and other scams, and report them to the proper authorities -- so that no one becomes a victim of this type of criminal activity."

"Humans remain the weakest link in any organization," commented Ilia Kolochenko, founder and CEO of ImmuniWeb. "Properly implemented security controls can reduce the risk of human error but not eliminate it. Worse, cybercriminals will now purposely target smaller organizations that cannot afford to invest in their cybersecurity. Organizations of all sizes should continuously invest in their human capital via security training and security awareness seminars." Story at SecurityWeek:
Can You Be Spoofed?

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against unless your users are highly "security awareness" trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test.

Find out now if your email server is configured correctly, many are not!
Ransomware Halts Production for Days at Major Airplane Parts Manufacturer

As a result of having IT systems crippled by the ransomware infection, the company has sent home approximately 1,000 of its 1,400 workers on paid leave.

ASCO, one of the world's largest suppliers of airplane parts, has ceased production in factories across four countries due to a ransomware infection reported at its plant in Zaventem, Belgium.

Per reports, the infection took root last Friday, June 7, and initially hit the company's Zaventem plant in Belgium, but ASCO also shut down factories in Germany, Canada, and the US. Non-production offices located in France and Brazil were unaffected.

It is unclear if the company shut down operations at other factories because the ransomware managed to spread, or just as a precaution. The former scenario might be the most plausible, as factories can be easily isolated from one another, without stopping production.

ASCO is one of the world's most important supplier of airplane parts and parts designs. Some of the company's clients include the biggest names in the airline transportation and military sectors, such as Airbus, Boeing, Bombardier, and Lockheed Martin.

ASCO-made parts are used for the F-35 fighter jet, the Airbus A400M military aircraft, Airbus and Boeing commercial passenger jets, and Ariane space launch rockets, just to name a few. More at the KnowBe4 blog:

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"Life shrinks or expands in proportion to one's courage." - Anais Nin, Writer (1903 - 1977)

"You will never do anything in this world without courage. It is the greatest quality of the mind next to honor." - Aristotle, Greek Philosopher (384 BC - 322 BC)

Thanks for reading CyberheistNews
Security News
Voicemail Phishing Scam Steals Credentials

A new phishing campaign is asking victims to click on a link in an email to download a voicemail, My Online Security reports. When recipients click on the link, they'll be redirected to a SharePoint phishing site with an embedded PDF file. This file contains two links to either "Accept voice message"or "Listen to voice message."

Clicking on either option will send the victim to a spoofed Microsoft OneDrive login page, where their credentials will be harvested.

After this, however, the victim is sent to the website selling voice-to-email messaging services, so the attacker is apparently trying to make extra money off of commissions by driving traffic to this site. My Online Security also notes that there are other fake login pages on the phishing site, including one that spoofs Chase Bank, so the campaign isn't limited to targeting OneDrive credentials.

"We all get very blase about phishing and think we know so much that we will never fall for a phishing attempt," says My Online Security. "Don't assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says 'you have won a prize' or 'sign up to this website for discounts, prizes and special offers.' All of these emails use social engineering tricks to persuade you to open the attachments that come with the email."

Phishing attacks are constantly changing, but their foundations remain the same. This one is unusual in that it offers a novel sort of alert for a familiar bit of functionality--voicemail--that we're predisposed to use. New-school security awareness training can help your employees recognize this behavior by teaching them to be on the lookout for social engineering tactics. My Online Security has the story:
The CIA Will Not Fix Your Online Rap Sheet

Scammers are still posing as CIA employees and telling victims that they're about to be arrested for their involvement in an international pedophile ring, according to the Register. The scammers offer to erase the recipient from the case in exchange for $10,000 in Bitcoin. The emails are sent from an address ending in Mali's top-level domain (.ml), probably in an attempt to spoof ".mil," although ".mil" would still be inaccurate for a CIA email address.

Dot mil is used by the US Department of Defense, and the CIA is not a Defense agency. Researchers at Kaspersky who observed the emails note that while most people would dismiss these emails immediately, the scammers send out so many emails that some recipients will inevitably fall for them.

"Such messages are sent to thousands or even millions of people in the hope that just a handful will swallow the bait," said Kaspersky senior anti-spam analyst Tatyana Scherbakova. "Given the size of the ransom, if even a few victims pay up, it will have been worth the cybercriminals' time and effort"

The Register says that recipients of these messages "should keep in mind that the CIA and its agents (even the corrupt ones) would not make any such demand over unsolicited email, and the message should be deleted without a second thought."

Employees need to be taught that such outlandish claims in emails should immediately tip them off to a phishing attempt. New-school security awareness training can help your employees stay calm in the face of attackers' attempts to frighten them. The Register has the story:
Corporate Email Creates Unavoidable Risk

It's impossible to avoid the risk of phishing attacks entirely, since employees still need to do their jobs, as Kelly Sheridan at Dark Reading puts it. Sheridan points to a recent report from Cisco which shows that phishing attacks are increasing in number while getting harder to detect.

"It seems never-ending sometimes, the kinds of threats that arrive through email," Ben Munroe from Cisco Security told Dark Reading. "The fact that it's still a problem for us is incredible. Things are not getting better and in fact, things are getting worse."

Sheridan notes that phishing attacks place the burden of defense on employees, since attackers are bypassing other defenses and targeting the humans directly. "Employees are forced to read every message, make judgment calls about what they receive, and decide what to open, click, download, and respond to," she writes. "The right amount of social engineering can manipulate recipients into accidentally letting attackers in."

Employees need to be constantly aware of new techniques being used by attackers. New-school security awareness training with simulated phishing tests can make your employees far more likely to resist real phishing attacks, because they'll know what to watch out for and they'll be expecting to be targeted. And it's also realistic about the ways in which we use email for our jobs. Dark Reading has the story:
What KnowBe4 Customers Say

"Stu, I've actually been extremely impressed with your platform and have seen very noticeable results. I'm currently running simulated phishing campaigns through KnowBe4 at two separate businesses and have seen our phish-prone percentage drop on an average of 50% after every campaign. I believe in this day and age a solution like KnowBe4 is almost essential to keeping your business and data safe.

My user's education level on these kind of things have skyrocketed since we started deploying out training. I've been very impressed. If you ever have any openings for strong technical candidates feel free to reach out, I'd love to be a part of a company like KnowBe4. Exciting stuff! Thanks for the follow-up message."
- B. J. Systems Administrator
The 10 Interesting News Items This Week
    1. KKR Mints A New Cybersecurity Unicorn: KnowBe4

    2. Security Awareness Training Firm KnowBe4 Raises $300 Million:

    3. Millions of Exim Mail Servers Are Currently Being Attacked:

    4. This Deepfake of Mark Zuckerberg Tests Facebook's Fake Video Policies:

    5. A spy reportedly used an AI-generated profile picture to connect with sources on LinkedIn:

    6. Dishing On Phishing: Security Awareness Training Is A Must Have For Utilities:

    7. DEEPFAKES Accountability Act would impose unenforceable rules but it's a start:

    8. 7 Truths About BEC Scams:

    9. Hackers are stealing personal medical data to impersonate your doctor:

    10. Why Every Employee in Your Organization Should Learn Social Engineering Vocabulary
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews