CyberheistNews Vol 9 #28 [Heads-up] Cyber Criminals Refine Their Social Engineering Tactics

CyberheistNews Vol 9 #28
[Heads-up] Cyber Criminals Refine Their Social Engineering Tactics

Attackers are improving their strategies by accounting for new developments in technology, Help Net Security reports. Researchers at FireEye analyzed 1.3 billion phishing emails and identified three major trends in Q1 2019.

First, attackers are increasingly using impersonation in their phishing attacks. Impersonation attacks in 2019 have increased 17% over Q4 2018, primarily imitating well-known brands. Attempts to spoof Microsoft accounted for nearly a third of these attacks, with OneDrive, PayPal, Apple, and Amazon. More targeted CEO impersonation attacks are also on the rise, and FireEye’s Ken Bagnall expressed concern that organizations don’t understand the level of sophistication that these attacks employ.

“We’re seeing new variants of impersonation attacks that target new contacts and departments within organizations,” said Bagnall. “The danger is these new targets may not be prepared or have the necessary knowledge to identify an attack. Unfortunately, once the fraudulent activity is discovered, the targeted organization thinks they’ve paid a legitimate invoice, when the transaction was actually made to an attacker’s account.”

A second trend is the increased use of HTTPS for phishing sites, which jumped by 26% in Q1 2019. These certificates are free and easy to obtain for any website. Since most browsers automatically flag non-encrypted connections as insecure, an SSL certificate is becoming an essential component for any site that wants its users to feel safe. This trend, coupled with the widespread misconception that an HTTPS connection alone is a sign of legitimacy, means that the use of HTTPS will continue to become a standard feature in phishing campaigns.

Finally, attackers are turning to cloud-based attacks using trusted services such as Dropbox, Google Drive, and OneDrive. By hosting malicious files on these services, attackers can send links that don’t look suspicious to users and that can get through email filters.

Most people assume that they’ll be able to spot a scam when they see one, so it’s not something they factor into their thinking. Employees who are expecting to be targeted by social engineering attacks will be far more vigilant as they carry out routine activities. New-school security awareness training can give your employees this heightened sense of alertness so that they can identify new social engineering attacks. Post with links:
See Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us tomorrow, Wednesday, July 10 @ 2:00 pm (ET), for a live demonstration of KnowBe4’s new-school approach to security awareness training and simulated phishing. See the latest product features and how easy it is to train and phish your users.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 26,000+ organizations have mobilized their end users as their human firewall.

Date/Time: TOMORROW, Wednesday, July 10 @ 2:00 pm (ET)

Save My Spot!
Microsoft Kills Password Expiration Policy Recommendation With Latest Security Baseline for Win10

This change from Microsoft highlights the need for organizations to readdress the user-based insecurity of passwords caused by password expirations.

One of the focuses of Windows 10 was to improve its security overall. But one aspect even the most secure OS can’t fix is a user who doesn’t see security as important. The result? Well, take password expiration as an example.

Microsoft has long-held that passwords should expire after a set number of days to minimize the duration for which a compromised credential is useful. But when that expiration happens, according to Microsoft “when humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.”

In short, the password is either insecure, or too complex to be remembered. So, with Microsoft’s latest Security Baseline for Windows 10, they’ve chosen to remove the policy requirement that password must expire. This has no impact on their stance on password length, history, or complexity – only on making that password expire.

Users who have a security-centric mindset through security awareness training are aware of the role their passwords play in an attack and the need for them to be sufficiently secure (where a longer password can be far more secure than a short-yet-complex one). Organizations seeking to leverage users as part of their security stance should look to follow Microsoft’s latest guidance, which includes the following. Continued at:
Hacking Your Organization: 7 Steps Bad Guys Use to Take Total Control of Your Network

Scary fact: human error is a contributing factor in more than 90% of breaches. With so many technical controls in place, hackers are still getting through to your end users, making them your last line of defense. How are they so easily manipulated into giving the bad guys what they want? Well, hackers are crafty. And the best way to beat them is to understand the way that they work.

In this webinar Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will take you through the "Cyber Kill Chain" in detail to show you how a single email slip up can lead to the total takeover of your network.

Roger will show you:
  • How detailed data is harvested using public databases and surprising techniques
  • Tricks used to craft a compelling social engineering attack that your users WILL click
  • Cunning ways that hackers deliver malicious code to take control of an endpoint
  • Taking over your domain controller and subsequently your entire network
But not all hope is lost. Roger will also share actionable strategies you can put in place now to greatly reduce your risk. Find out how to protect your organization before it's too late.

Date/Time: Thursday, July 18 @ 2:00 pm (ET)

Save My Spot!
Is Compliance Security’s Worst Enemy?

KnowBe4’s Data-Driven Defense Evangelist, Roger Grimes, explains why compliance and security are not aligned, and why compliance actually hurts security.

Regulatory mandates are springing up all over these days. Industry regulations with data privacy provisions, personal data protection laws, and existing mandates tightening up their security requirements are commonplace. But, as Grimes points out in his latest article over at CSO, “compliance isn’t the same as security.”

The art of establishing and maintaining a defense against an enemy that is constantly changing its tactics doesn’t exactly jive with static compliance mandates. In his article, Grimes brings up five specific points of why compliance actually hurts security, summarized here:
  • Compliance is about whether or not you’ve met the requirement, whereas security is about whether you’ve actually protected the environment.
  • Compliance often does not reflect a proper balance towards security practices that actually stop attacks, breaches, etc.
  • Compliance changes too slowly to have an impact on the shifting threat landscape.
  • Compliance is mandatory and will always trump security, even if security is the better practice.
  • Compliance reporting isn’t representative of whether an organization is actually secure.
Read the full article “5 Ways Compliance Hurts Security” over at CSO online and weep:
Get Your Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments is a continuous problem.

We listened! KCM now has Compliance, Risk, Policy and Vendor Risk Management modules, transforming KCM into a full SaaS GRC platform!

Join us, Wednesday, July 17 @ 2:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements and ease your burden when it's time for risk assessments and audits.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely-used regulations.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways to maintain audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Wednesday, July 17 @ 2:00 PM (ET)

Save My Spot!
Over Half of Employees Don’t Adhere to Email Security Protocols

A new survey by Barracuda Networks shows that the vast majority (87%) of decision makers believe email threats will rise in the coming year. However, companies are ill-prepared to defend against these threats. In fact, 94% of respondents acknowledged that email remains the weakest link in their cyber defenses.

In the majority (57%) of organizations, most attacks target the finance department. However, attacks on customer support are on the rise, with nearly one-third (32%) of firms identifying this as the most targeted department. According to Chris Ross of Barracuda, this “could indicate a new emerging trend for would-be attackers.”

The survey also underlines the risk of negligent employees, with 56% of respondents stating that some of their staff members don’t follow security policies. Read more:

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"There is nothing on this earth more to be prized than true friendship."
- Thomas Aquinas, Philosopher (1225 - 1274)

"My first wish is to see this plague of mankind, war, banished from the earth."
- George Washington - 1st U.S. President (1732 - 1799)

Thanks for reading CyberheistNews
Security News
Enter Facebook Libra, With Scammers in Its Train

Within twenty-four hours of Facebook’s announcement of its new Libra cryptocurrency and Calibra digital wallet, more than three hundred sites were registered with domain names associated with the words “Libra” and “Calibra,” according to researchers at Digital Shadows.

The researchers examined these sites and found that while most of them are currently empty, some are already hosting active scams. One of the sites copied the real Calibra site very convincingly, and replaced the words on a “Get Started” button with “Sale Libra Currency.”

This button takes users to a page that offers to exchange Ethereum cryptocurrency for Libra with a 25% bonus. Since Libra isn’t slated to launch until next year, the scam doesn’t specify where exactly the converted currency will be stored, but the researchers note that the scammer’s Ethereum wallet has already received $58.

Another site was more ambitious, offering early access to Libra on a Virtual Private Service for several hundred dollars. After victims hand over their money, the scammers walk them through the process of accessing their new server, which involves opening a Remote Desktop Connection and entering an IP address, a username, and a password.

This gives the attackers the ability to do whatever they want on the victim’s computer. Digital Shadows emphasizes the announcement of a new, extremely high-profile cryptocurrency that hasn’t launched yet. It has created a perfect opportunity for scammers to exploit people who want to make an early investment in the next big currency.

New-school security awareness training can help employees resist these types of scams by teaching them the signs to watch out for. Digital Shadows has the story:
Another Cryptocurrency Becomes Phishbait

A phishing campaign is targeting users of the Luno cryptocurrency with emails informing them that their accounts have been locked, according to Paul Ducklin at Naked Security.

The emails are well written and they appear legitimate, as does the phishing site. The site asks users to enter their full name, ID number or passport number, Luno password, mobile phone number, email address, and email password.

While the attackers put effort into the cosmetics and grammar of their scam, the URL provided in the email is clearly unrelated to Luno and the phishing site doesn’t use HTTPS. Users should also be aware that they won’t be asked to enter their email password on a page that isn’t associated with their email provider, although it’s worth noting that the Luno phishing site does offer options to verify using Google or Facebook accounts.

Ducklin adds that users should independently verify claims in emails without relying on links or contact information provided in the emails.

“If you really are a Luno customer, and you’ve received a message like this, why would [you] trust anything in the email?” he asks. “That would be like asking the defendant in a criminal trial to serve on their own jury. Never take any cybersecurity action based on the say-so of a message that ‘just showed up.’ After all, if you phone the ‘emergency number’ given in a scam email, the crook who answers will tell you what you want to hear....

Simply put – it’s better to follow your own nose to validate facts than to blindly follow someone else’s! Email is the most popular avenue for phishing attacks, since attackers can send out millions at a time to any number of addresses. However, organizations and services still need to use email as part of their daily operations. New-school security awareness training can teach your employees how to interact with emails and other forms of communication safely, ensuring that they aren’t falling for well-crafted phishing attempts. Naked Security has the story:
Banks Not Helping Customers Spit the Phish Hook

40% of the largest banks in the US don’t use Extended Validation (EV) certificates on their home pages or login pages, a study by Sectigo has found. Likewise, 25% of Europe’s largest banks don’t possess the certificates.

An EV certificate is shown by the presence of an organization’s name next to the lock icon, meaning that the owner of the site is a registered organization that has cooperated with a Certificate Authority (CA) in order to obtain the certificate. The lock icon on its own simply means that traffic to and from the site is private.

Extended Validation certificates aren’t a silver bullet, but they do provide more evidence of legitimacy than the standard lock icon, since companies have to interact with a Certificate Authority and undergo a vetting process. If an attacker wants to spoof a site with an EV certificate, they’ll have to register an organization with the same name and then convince a CA that the organization is legitimate.

This is certainly possible, so users should still be wary on any site, but it’s typically more effort than attackers need to expend in order to fool a decent number of victims.

Users need to take many factors into account in order to avoid falling victim to spoofed websites, including being aware of how and why they ended up on a site, in addition to examining the site itself for discrepancies. New-school security awareness training can help them pay attention to these details by giving them experience with realistic phishing simulations. Sectigo has the story:
New Malware Pretends to Be You by Matching Your Keystroke Characteristics

Cybersecurity researchers have developed a new keystroke impersonation attack that avoids being detected by keystroke-based biometric security solutions.

The idea of using biometrics for security purposes has been around for years. The idea of using a thumbprint, a retina scan, or your voice has been made part of very secure environments. But the idea of giving up something that uniquely identifies a person has made some users hesitant.

The idea of using keystrokes – which seems far less intrusive than, say, scanning your eye – has been around for many years as well. Some security products use keystroke characteristics to confidently identify an individual.

The latest research entitled “Malboard: A Novel User Keystroke Impersonation Attack and Trusted Detection Framework Based on Side-Channel Analysis” discusses a new attack that generates and sends malicious keystrokes that mimic the victim user's behavioral characteristics. So, solutions identifying users based on keystrokes can be fooled into believing it’s the actual user making requests to access and exfiltrate sensitive data.

The introduction of such malware indicates that a) it’s possible to easily mimic a user, further compounding the detection of external attacks that are leveraging compromised internal credentials and, b) the bad guys will begin to incorporate this kind of capability into their automated attacks as security vendors look to further their ability to identify that the user making a request is actually the requesting user.

The Malboard attack method is just the latest innovative attack method. But, to be effective, the code behind Malboard needs to somehow be present on an endpoint. That means traditional delivery mechanisms such as phishing attacks using malware delivery would be necessary. Users undergoing security awareness training are best-equipped to spot malicious email and web content, lowering the chance of a successful attack.
What KnowBe4 Customers Say

"Yes, I have been very happy with KB4. Previously we were running Wombat, which was purchased by ProofPoint. The quantity/quality and manageability of KB4 is worlds better than the competition! Thank you!" - N.K., Comptroller IS

"Hi Stu, Thank you for reaching out. I have been very happy with the product. We completed both employee training and a baseline phishing test. It is very easy to use and get started. The account rep Katie is awesome and she gives advice on how to start small and increase the use of features. It will get more automated as we go. Nice job, definitely would recommend KnowBe4 to anyone that is looking." R.E., Sr Vice President, Information Services

"Hi Stu, Thanks for checking in. Things are going well so far, but we clearly have a way to go in terms of awareness. I inherited the relationship with KnowBe4 due to an acquisition and based on their positive experience, I made the decision to expand the service to all of our organization.

Two things I have been very happy with are 1) the quality of the email and landing page templates, and 2) the promptness and quality of service requests. I have selected difficult templates and a very believable login landing page specifically because the real phishing attempts we receive are just as good. You can consider me a referenceable customer. Thanks."
- M.J., CISSP, Director, Security & Compliance

Featured Employee Profile

Rosa Smothers, Senior VP Cyber Operations

As a cyber threat analyst who supported cyber operations in the CIA for more than a decade and a veteran of the Iraq war, Rosa Smothers has built up a portfolio of skills and experience – much of which can’t be disclosed for national security reasons, though one supporter said her CIA work qualified her as “an all-out badass” – that make her an influential player in the cybersecurity industry. Here is her full profile in SC Magazine:

KnowBe4 Translations Update
In the first half of the year, we added 1,206 pieces of translated content and we plan to release even more in the second half. Here is a summary:
The 10 Interesting News Items This Week
    1. Security Maven Bruce Schneier is Leaving IBM:

    2. I'm Interviewed in PC Mag: "6 Ways SMBs Can Avoid an Email Security Nightmare":

    3. Security Awareness Training Dramatically Reduces Phishing Proneness | Credit Union Times

    4. Business Email Compromise Phishing Scams on the Rise:

    5. Your Printer Works for the Government:

    6. Announcing: The SANS Security Awareness Professional (SSAP) Credential

    7. Microsoft Confirms New Cumulative Update Bug Hitting Windows 10 Version 1903:

    8. New Dridex Malware Strain Avoids Antivirus Software Detection:

    9. Electronic Arts Origin Gaming Client Hit by Vulnerabilities, Says Check Point Research:

    10. ETERNALBLUE Sextortion Scam Puts Your Password Where Your Name Should Be:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
    • Shaggy’s Chart-Topping Hit From 2000, “It Wasn’t Me,” Has Made a Comeback. Emirates NBD, a bank in Dubai, in conjunction with the Dubai Police, adapted the lyrics and produced a video rendition as part of a cybersecurity awareness campaign:
    • The Latest Compilation of Awesome People Doing Extraordinary Things:
    • A Discretely Assembled Walking Motor, Integrated Electromechanical Machine Assembled From Five Standard Part-Types:
    • Learn About How National Archives Conservators Have Cared for the Declaration of Independence. I didn’t know they found a handprint in the lower corner of the Declaration. They have no idea how it got there and are asking people who took photos of it prior to 1952 to try to see when that fingerprint appeared.

    • From the Video Archives. We repeat this video once a year in the 4th of July week. An explanation of the various forms of government and political systems, and why America never has been a democracy, but actually a is a Republic:

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews