CyberheistNews Vol 9 #28 1.5 Billion Gmail Calendar Users Are the Target of a Crafty New Phishing Scam





CyberheistNews Vol 9 #27
1.5 Billion Gmail Calendar Users Are the Target of a Crafty New Phishing Scam

Users of Google’s Calendar app are being warned about a scam that takes advantage of the popularity of the free service and its ability to schedule meetings easily.

In business, we schedule meetings all the time. One-off calls, recurring weekly updates, and the like. The latest warning from researchers at Kaspersky indicates the bad guys are using unsolicited Google Calendar notifications to trick user into clicking phishing links.

Here’s how it works:

Scammers send a Google user a calendar invite complete with meeting topic and location information. Inside the details of the appointment lies a malicious link that looks like it’s pointing you back to meet.google.com for more details.

Once clicked, it’s back to the usual tactics of trying to infect the user’s endpoint with malware and so on.

This kind of attack has a massive attack surface, given the number of users utilizing Google’s Calendar service. It also has that contextual appeal by being hidden within a meeting invite and uses a seemingly valid URL for more information.

Users have long been warned about their interaction with email and the web. Now it’s important to add Calendar invites to the list. Organizations that use security awareness training have users that are continually up to date on the latest attack types. This latest method demonstrates how attackers are always updating their tactics, requiring you to be equally persistent and enable your users to make smarter security decisions. Link to warning:
https://blog.knowbe4.com/1.5-billion-gmail-calendar-users-are-the-target-of-a-crafty-new-phishing-scam
[NEW TOOL] Can Your Users Get Hacked by a Social Media Phishing Attack?

Phishing is still the #1 threat action used in social engineering attacks, and spear phishing in particular, takes advantage of your users’ socially networked lives.

Many of your users are active on social media sites like Facebook, LinkedIn, and Twitter. Attackers use social media to target both your brand, your users, and even your customers by distributing malware or using social engineering to phish for credentials. These platforms have become a goldmine for the bad guys to carry out social media phishing attacks against your organization.

Don’t get hacked by a social media phishing attack.

KnowBe4’s Social Media Phishing Test (SPT) is a new and complimentary IT tool that helps you identify which users are vulnerable to these types of social media spear phishing attacks. With SPT, get quick insights into how many users fall victim so you can take action and train your users to better protect your organization from these social media phishing attacks.

Here’s How the Social Media Phishing Test works:
  • Immediately start your test with your choice of three social media phishing templates
  • Choose the corresponding landing page your users see after they click
  • Show users which red flags they missed or send them to a fake login page
  • Get a PDF emailed to you in 24 hours with your percentage of clicks and data entered
Find out how many of your users are vulnerable to social media related attacks now!
https://info.knowbe4.com/social-media-phishing-test-chn
No, Mr. McAfee Is Not Giving Away Money :-D

Cryptocurrency giveaway scams are making a comeback, with fraudsters posing as John McAfee, Elon Musk, and the Tesla company, BleepingComputer reports.

The scams are being shared on Twitter using phony accounts, and the URL in the tweets leads to a website that very convincingly spoofs Medium, a popular online publishing platform.

The site appears to be a Medium article announcing an official giveaway of Bitcoin and Ethereum, and it provides a link for users to visit another site where they can receive their free money.

This site has a ticker showing how much cryptocurrency is left, accompanied by a list of transactions that other people are supposedly making in real time. This is meant to motivate the victim into acting quickly before the money runs out.

The site contains instructions for users transfer between 0.05 and 5 Bitcoins or between 0.5 and 50 Ethereum to an address in order to verify their wallets. The scammers claim that the victims will receive back ten times the amount that they transferred for verification. Continue reading:
https://blog.knowbe4.com/mr.-mcafee-is-not-giving-away-money
See Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us on Wednesday, July 10 @ 2:00 pm (ET), for a live demonstration of KnowBe4’s new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 26,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, July 10 @ 2:00 pm (ET)

Save My Spot!
https://event.on24.com/wcc/r/2018391/6CF64A52D3F72425FD4280ECCE1233B5?partnerref=CHN2
Which of the Four Types of Social Engineering Is the Most Damaging?

Cybercriminals know that targeted social engineering attacks lead to the highest payoffs, so the frequency and sophistication of these attacks is guaranteed to increase, writes Jasmine Henry at IBM Security Intelligence. Henry lays out four rising social engineering attacks that organizations need to be aware of.

Business Email Compromise

The first type of attack is business email compromise (BEC, also known as CEO fraud), which involves compromising an email account or spoofing an email address to trick employees into transferring money or granting access to an attacker. Henry says that if an organization doesn’t have proper security measures, these attacks “can be both easy and highly rewarding for cybercriminals.”

Whaling

A variant of BEC is whaling, in which attackers impersonate an executive at an organization to gain maximum leverage when they make their demands. These attacks are less frequent since there are fewer potential targets, but they cause far more damage than most attacks.

Extortion Attempts

Extortion attempts are also growing more frequent. The vast majority of these attempts are pure scams, such as widespread sextortion campaigns. However, attackers do sometimes steal sensitive data and threaten to release it unless the victim pays a ransom. Henry points to a newer spin on this type of extortion in which criminals utilize crowdfunding to raise money before they release the information, allowing attackers to get paid even if the victim doesn’t give in.

Pretexting

A fourth rising threat is pretexting, where an attacker poses as a trusted party and builds rapport with someone inside of an organization. Once they’ve gained an employee’s trust, they’ll trick the target into doing something that compromises the organization’s security.

Henry concludes that organizations need to take a new approach in order to fight these threats: “Although security awareness training remains a critical protection against the highest-volume forms of social engineering attacks, it’s time for organizations to look beyond basic user awareness,” she writes. “Some of today’s most profitable attacks involve criminal methodologies that aren’t visible to the bare eye. Inadvertent insiders are the weakest link in any organization, and it’s more important than ever to involve a comprehensive plan for cyber resilience, including simulation training and a strong resiliency plan.”

The damage caused by social engineering depends on the scenario and the organization. Any of these four types can cause massive damage to an organization's reputation, stock price or direct cash losses in the case of ransom paid due to a ransomware infection.
Hacking Your Organization: 7 Steps Bad Guys Use to Take Total Control of Your Network

The scary fact is that human error is a contributing factor in more than 90% of breaches. With so many technical controls in place hackers are still getting through to your end users, making them your last line of defense. How are they so easily manipulated into giving the bad guys what they want? Well, hackers are crafty. And the best way to beat them is to understand the way they work.

In this webinar Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will take you through the "Cyber Kill Chain" in detail to show you how a single email slip up can lead to the total takeover of your network.

Roger will show you:
  • How detailed data is harvested using public databases and surprising techniques
  • Tricks used to craft a compelling social engineering attack that your users WILL click
  • Cunning ways hackers deliver malicious code to take control of an endpoint
  • Taking over your domain controller and subsequently your entire network
But not all hope is lost. Roger will also share actionable strategies you can put in place now to greatly reduce your risk. Find out how to protect your organization before it's too late.

Date/Time: Thursday, July 18 @ 2:00 pm (ET)

Save My Spot!
https://event.on24.com/wcc/r/2039197/018E9C163DE94D875B36C4BF082405B9?partnerref=CHN1

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"One’s mind, once stretched by a new idea, never regains its original dimensions"
- Oliver Wendell Holmes Sr.

"I never learned from a man who agreed with me." - Robert A. Heinlein



Thanks for reading CyberheistNews
Security News
Malicious Office Documents Still Tops in Phishbait

Microsoft Office files with malicious macros remained the most popular vector for malware infections in Q1 2019, according to WatchGuard Technologies’ latest Internet Security Report. WatchGuard detected more than 18 million malware variants in the quarter, with an average of 427 attempted attacks per device.

The report lays out the top ten most widespread types of malware, and found that the number of malware detections increased by 62% compared to the previous quarter.

The most commonly found malware in Q1 2019 was Mimikatz, which accounted for more than 20% of all malware detections. Mimikatz is an open-source tool for dumping credentials from Windows memory, and it’s often used for lateral movement within a network after attackers have compromised a machine.

Two variants of MacOS adware also appeared on the list, after MacOS-specific malware first made the top ten in Q3 2018. WatchGuard says that “this increase in Mac-based malware further debunks the myth that Macs are immune to viruses and malware.”

Two kinds of fileless threats made the top ten as well. One was a PowerShell code injection attack that downloads a malicious payload, and the other was Meterpreter, a stealthy Metasploit payload that lives in memory and injects itself into existing processes. WatchGuard’s press release states that “this trend further demonstrates cyber criminals’ continued focus on utilizing this evasive threat category.”

The vast majority of these threats require user interaction in order to make their way onto a system. Technical defenses can block many of them from reaching employees, but attackers take this into account when planning their campaigns. They’ll either find a workaround or simply keep sending emails until enough of them make it through. Organizations need a combination of defenses to address all levels of an attacker’s strategy, and new-school security awareness training is one of the best ways to ensure that your employees can identify malicious emails that reach their inboxes. Yahoo Finance has the story:
https://finance.yahoo.com/news/research-shows-surge-mac-malware-040100569.html
Fraud, Protected by Privacy

Fraudsters are taking advantage of online privacy regulations to avoid being identified and caught, KamloopsMatters observes. They’re talking about Proofpoint’s 2019 Domain Fraud Report, which found that 76% of the company’s Digital Risk Protection customers had domains spoofing their brand with similar domain names, while 96% found websites that used their exact domain name, but with a different top-level domain.

Proofpoint says that domain spoofing is becoming less risky for attackers as they find it easier to remain hidden online. “Domain fraud is an attractive attack method used by cyber criminals,” Proofpoint said. “Privacy features offered by most registrars and regulations like European Union General Data Protection Regulation have made it easy to remain anonymous. And, most important, fraudulent domains provide the basis for a wide range of attacks such as wire transfer fraud, phishing, counterfeit good sales, scams and other new methods.”

Kevin Epstein, Proofpoint’s vice-president of threat operations, pointed out that domain spoofing takes advantage of human error rather than exploiting a vulnerability in technology. He advises users not to click links in emails, and instead to manually type the URL into the browser’s address bar.

“Choose where you go rather than be directed where you go,” Epstein said. Most people want more online privacy, but they need to be aware of the fact that increased privacy often comes with increased anonymity, so they have to be more careful about the sites and people they interact with. New-school security awareness training can teach your employees to carefully scrutinize URLs out of habit. KamloopsMatters has the story:
https://www.kamloopsmatters.com/local-news/fraudulent-internet-sites-can-remain-anonymous-due-to-privacy-laws-1515189
Next-Generation Phishing

Organizations are spending exorbitant amounts of money on cybersecurity products, but cyberattacks are still succeeding on a daily basis, Fortune notes. At Fortune’s Brainstorm Finance conference last week, Adenike Cosgrove from Proofpoint said this discrepancy is due to the fact that many organizations have a blind spot when it comes to the human element.

Almost all cyberattacks begin with an employee falling for a phishing attack, and Cosgrove said that attackers have consciously adjusted their strategies to bypass new technical defenses by targeting humans.

Amy Chang, head of strategic intelligence and cybersecurity operations for JPMorgan Chase, added that attackers are constantly improving these attacks by adding more variants of social engineering, such as vishing.

“The evolution is definitely happening, and they’re incorporating a lot of new techniques,” Chang said. Cosgrove concluded that continuous employee training can help organizations defend themselves against social engineering attacks. There’s no single solution that can prevent cyberattacks, but by taking a balanced approach to security, organizations can ensure that they cover all of their bases. New-school security awareness training can provide your organization with an essential layer of defense by teaching your employees what to watch out for. Fortune has the story:
http://fortune.com/2019/06/19/corporate-phishing-scams/
"Elaborate" Fraud Hits Australian Businesses

A new procurement scam has netted at least $1.5 million from Australian companies in New South Wales over the past few weeks, according to 10 daily. The scammers are posing as representatives of Australian universities looking to buy expensive products, such as electrical and medical equipment. They tell the targeted company to deliver the equipment to a warehouse, but they never end up paying for it.

The victim only realizes that they haven’t been dealing with a university when they don’t receive payment. NSW police said the fraud was “elaborate,” with one of the victim companies losing $500,000. The scam is also thought to have affected many more businesses across the country who haven’t reported that they fell for it. Detective Superintendent Linda Howlett told 10 daily that companies who are approached with an offer should contact universities directly using a separate mode of communication.

“We urge businesses to make independent inquiries with the University procurement section to check the legitimacy of the transaction,” Howlett said. “When making further inquiries, go directly to the University website and seek legitimate contact details rather than using the numbers listed in the email.”

Organizations often assume they won’t fall victim to such a fraud, but it’s worth keeping in mind how many victims there are. 10 daily notes that more than 5,800 companies in Australia lost at least $7.2 million to business email compromise scams alone last year. With such high payoffs, attackers are willing to put in the effort to make the scams extremely convincing, and there often won’t be any obvious warning signs until it’s too late.

This latest procurement scam was convincing enough to pull in 1.5 million dollars. New-school security awareness training can teach your employees how to prevent these scams by routinely taking steps to verify the authenticity of requests, even if they look legitimate on the surface. 10 daily has the story:
https://10daily.com.au/news/crime/a190612qyotx/elaborate-uni-fraud-scamming-aussie-businesses-of-millions-20190612
KnowBe4 Fresh Content Update and New Features

The Inside Man Movie

First, there is a ModStore Release Announcement: The Inside Man: Season 1 Episodes 1-12. For any and all customers who wished they could just watch the entire Inside Man Season in one sitting, their wish is now granted. All 12 episodes of The Inside Man series have been combined into a single 80 minute video module (movie) which is now live in the ModStore. So grab that popcorn and binge away..............

Executive Series Videos

Next, we are very excited to announce that all of the Executive Series modules have now been made into video modules! This means they are all now fully captioned and have all of the great feature of our video module player that only KnowBe4 has - detecting speed of connection to give optimal file for each user, full screen capability at 1080p resolution, and SCORM bookmarking/completion tracking. The next phase is the Courseware team will be adding quizzes to the training modules and updating them. Look for those in the coming weeks.

Next, there are a few new powerful features added to the platform, check them out here!
  • Branded Training Certificates
  • End User Training Surveys
  • KnowBe4 User Event API
Lots And Lots of FRESH CONTENT

It's all here:
https://blog.knowbe4.com/knowbe4-fresh-content-and-feature-updates-june-2019
What KnowBe4 Customers Say

"Stu, Good Afternoon Sir. Yes, very Happy (and Impressed) Camper.. LOL

We are still getting used to all the features, campaigns and things we can do with KnowBe4. I have to say that the approach by KnowBe4 is excellent, support has been above Excellent..

Highest complements to April Howard, our Customer Support Manager, who has been instrumental in getting our program up and running..

I think we’d have to be a model case for WHY this training is so needed.. On our first phishing campaign we had something like 31% phish prone.

We are a small City, so getting the word out and getting folks trained, when they already have all their own work to do is challenging. Allowing them to “train” when they have a few spare minutes seems to be working well..

As it so happens, last Saturday, we had our first “real world” actual spear phishing attack, where a single actor impersonated the City Manager and two other Senior Managers – sending specifically to their staff’s a request for them to buy gift cards – for a “secret” project & send them to him. I know, sounds silly, but most did see it for what it was, sadly a couple did reply – but only to request better verification and NO ONE bought any cards.

On a happier note, most of the others thought it was another “test” e-mail from KnowBe4, and simply deleted it. LOL So, the fight continues..

Thank you for checking in, A VERY Happy Camper."
P.L., IS Manager
The 10 Interesting News Items This Week
    1. Social Engineering Forum Hacked, Data Shared on Leak Sites:
      https://www.bleepingcomputer.com/news/security/social-engineering-forum-hacked-data-shared-on-leak-sites/

    2. Flaws in LTE can allow hackers to easily spoof presidential alerts:
      https://www.techspot.com/news/80633-flaws-lte-can-allow-hackers-easily-spoof-presidential.html

    3. Hospitality industry at highest risk of phishing. Benchmarking report shows average phish-prone percentage across all industries and sizes of organizations at 29.6% – up 2.6% since 2018:
      https://www.computerweekly.com/news/252465577/Hospitality-industry-at-highest-risk-of-phishing

    4. This terrifying AI generates fake articles from any news site:
      https://thenextweb.com/artificial-intelligence/2019/06/24/this-terrifying-ai-generates-fake-articles-from-any-news-site/

    5. Hacker invades 2 CBS reporters' lives without writing a single line of code:
      https://www.winknews.com/2019/06/25/hacker-invades-2-cbs-reporters-lives-without-writing-a-single-line-of-code/

    6. Security firms demonstrate subdomain hijack exploit vs. EA/Origin
      https://arstechnica.com/information-technology/2019/06/security-firms-demonstrate-subdomain-hijack-exploit-vs-eaorigin/

    7. U.S. Sees Russia, China, Iran Trying to Influence 2020 Elections:
      https://www.bloomberg.com/news/articles/2019-06-24/u-s-sees-russia-china-iran-trying-to-influence-2020-elections

    8. Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers:
      https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers

    9. Warning Issued For Millions Of Microsoft Windows 10 Users:
      https://www.forbes.com/sites/gordonkelly/2019/06/22/microsoft-windows-10-problem-warning-dell-diagnostics-security-upgrade-windows/

    10. Companies on Watch After US, Iran Claim Cyberattacks:
      https://www.darkreading.com/companies-on-watch-after-us-iran-claim-cyberattacks/d/d-id/1335045
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews