CyberheistNews Vol 9 #34 [Heads Up] The Unusual Activity Would Be the Microsoft Warning Itself

CyberheistNews Vol 9 #34
[Heads Up] The Unusual Activity Would Be the Microsoft Warning Itself

There is a live in-the-wild phishing campaign that’s spoofing “Unusual sign-in” warnings from Microsoft to steal users’ credentials. The emails look nearly identical to Microsoft’s real email alerts, and the sender address is the same as Microsoft’s legitimate account security email address.

The link to review the suspicious activity takes users to a phishing site that convincingly imitates Microsoft’s login page. If a user enters their credentials, they’ll be redirected to an error page on a real Microsoft site.

Our friend Larry Abrams at BleepingComputer explains that it’s important that users know not to trust the sender address field. While the sender’s address should be scrutinized for irregularities, the absence of errors doesn’t mean the email is safe.

“While some users may have felt that the emails are safe because they are coming from a legitimate Microsoft email address, it is always important to remember that the From email address can always be spoofed to be from any account an attacker wants,” Abrams writes. “Therefore, even if a phishing email looks legitimate, it is important to pay attention to the URLs of the landing pages before entering your login credentials in a displayed login form.”

Many people don’t know how easy it is to spoof an email’s sender address field, so they implicitly trust emails that appear to come from a familiar address. Even careful recipients who examine the address for typos can fall for this social engineering trick.

Most phishing attacks do contain warning signs that can be spotted by observant users, however. In this case, the phishing site’s URL reveals that the page is actually on a subdomain of dvnv6[dot]net, and the site wasn’t using HTTPS, so it would have been flagged as suspicious by the browser.

It’s worth noting, though, that the attacker could have easily made this campaign more convincing by hosting the site on Microsoft Azure, which would have given it a domain with an SSL certificate issued by Microsoft.

New-school security awareness training can teach your employees how to verify the legitimacy of emails and links, and when to avoid them altogether. For KnowBe4 customers, we have some ready-to-send templates to inoculate your users against this attack:
  • Microsoft Office 365: Unusual Sign-in Activity on Your Account
  • Microsoft: Unusual Sign-in Activity
How to Prevent 81% of Phishing Attacks From Sailing Right Into Your Inbox With DMARC

Only ~20% of companies use DMARC, SPF, and DKIM, global anti-domain-spoofing standards, which could significantly cut down on phishing attacks. But even when they are enabled and your domain is more secure, 81% of phishing attacks still continue to sail right through to the end-user.

In this webinar, Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, will teach you how to enable DMARC, SPF and DKIM the right way! Then, learn the six reasons why phishing still might get through to your inbox and what you can do to maximize your defenses.

What you’ll learn:
  • How to enable DMARC, SPF, and DKIM
  • Common configuration mistakes
  • How to best configure DMARC and other defenses to fight phishing
  • Techniques to empower your users to identify and avoid phishing attempts that make it through your surface-level defense
Date/Time: THIS WEEK Thursday, August 22 @ 2:00 pm (ET)

Save My Spot!
Kevin Mitnick, KnowBe4's Chief Hacking Officer Interviewed in the Wall Street Journal

August 16, 2019 - Randy Maniloff wrote about Kevin in the WSJ "Weekend Interview". It's a great article that covers his start as a teenage hacker, how he wound up in jail, and how he became a white hat after he came out.

They discuss phone phreaking, how he testified at a Senate Governmental Affairs Committee on computer security and had to get permission from his probation office to travel to Washington.

Then they cover ransomware payments, election hacking, social engineering, weak passwords, his role as KnowBe4's Chief Hacking Officer, and the need to step your employees through new-school security awareness training.

There is no better article to send to your C-suite to make them open the purse strings for your infosec budget!
Identify and Respond to Email Threats Faster With PhishER - Plus, Get a First Look at PhishML

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic... can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us, Tuesday, August 27 @ 2:00 pm (ET), for a live 30-minute demo of the PhishER platform and a first look at PhishML, a new machine-learning module now available in the PhishER platform.

With PhishER you can:
  • *NEW* Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s new machine-learning module
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team.

Date/Time: Tuesday, August 27 @ 2:00 pm (ET)

Save My Spot!
Even When Your Users Don't Click...

One of the points we’ve made in a number of our blog posts over the past few years is that the bad guys are always learning. And one of the ways they learn how to phish your organization successfully is by interacting with your employees — drawing them into back-and-forth email exchanges in which your users are unwittingly training malicious actors how to attack the organization.

Here’s the key: even if your users don’t ultimately take the bait and click on a malicious link or attachment in any one particular phishing email, they can still do damage to your organization’s security posture if they engage with the malicious actors behind that email.

We were reminded of this hard lesson by a customer whose HR and Payroll department recently dealt with a rather well-executed payroll phish. Payroll or direct deposit phishing attacks are prolific these days. Why did payroll phishing become so big and so dangerous? Because that’s where the money is.

This customer, which is in the health care industry, found the experience of dealing with this phish eye-opening. So much so, in fact, that the company emailed its employees an incredibly useful summary of the lessons learned. Here it is:
[On-Demand Webinar] 2019 Phishing Attack Landscape and Benchmarking With Perry Carpenter

As a security leader, you’re faced with a tough choice. Even as you increase your budget for sophisticated security software, your exposure to cybercrime keeps going up!

IT security seems to be a race between effective technology and clever attack methods. However, there’s an often overlooked security layer that can significantly reduce your organization’s attack surface: New-school security awareness training.

Join Perry Carpenter, KnowBe4’s Chief Strategy Officer, for a review of the 2019 Phishing Industry Benchmarking Study, a data set of nearly nine million users across 18,000 organizations with over 20 million simulated phishing security tests.

In this webinar, research from KnowBe4 highlights employee Phish-prone™ percentages by industry, revealing at-risk users that are susceptible to phishing or social engineering attacks. You will learn more about:
  • New phishing benchmark data for 19 industries
  • Understanding who’s at risk and what you can do about it
  • Actionable tips to create your “human firewall”
  • The value of new-school security awareness training
Do you know how your organization compares to your peers of similar size?

Watch this webinar now to find out!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: Here's the latest update in the ongoing saga of Cofense getting in hot water with The Committee on Foreign Investment in the United States (CFIUS):
Quotes of the Week
"When it is obvious that the goals cannot be reached, don't adjust the goals, adjust the action steps." - Confucius

"There is one thing that gets you out of bed in the morning, and that is discipline. Because your dreams and your goals are not there waking up for you in the morning." - Jocko Willink

Thanks for reading CyberheistNews
Security News
Report: Data Breach in Biometric Security Platform Affecting Millions of Users

Led by internet privacy researchers Noam Rotem and Ran Locar, vpnMentor’s team recently discovered a huge data breach in biometrics security platform BioStar 2. Once stolen, fingerprint and facial recognition information cannot be undone. An individual will potentially be affected for the rest of their lives.

BioStar 2 is a web-based biometric security smart lock platform. A centralized application, it allows admins to control access to secure areas of facilities, manage user permissions, integrate with 3rd party security apps, and record activity logs.

As part of the biometric software, BioStar 2 uses facial recognition and fingerprinting technology to identify users. The app is built by Suprema, one of the world’s top 50 security manufacturers, with the highest market share in biometric access control in the EMEA region. Suprema recently partnered with Nedap to integrate BioStar 2 into their AEOS access control system.

AEOS is used by over 5,700 organizations in 83 countries, including some of the biggest multinational businesses, many small local businesses, governments, banks, and even the UK Metropolitan Police.

The data leaked in the breach is of a highly sensitive nature. It includes detailed personal information of employees and unencrypted usernames and passwords, giving hackers access to user accounts and permissions at facilities using BioStar 2. Malicious agents could use this to hack into secure facilities and manipulate their security protocols for criminal activities.

This is a huge leak that endangers both the businesses and organizations involved, as well as their employees. vpnMentor's team was able to access over 1 million fingerprint records, as well as facial recognition information. Combined with the personal details, usernames, and passwords, the potential for criminal activity and fraud is massive.

Any individual that has that has their personal biometrics stolen should be made aware of the new risks that they are now exposed to, and stepped through new-school security awareness training. Full story with more details continued at:
Three Important Facts to Take Away From the New Data Security Law

By Lecio De Paula, Jr., Director of Data Privacy, KnowBe4.

New Hampshire joins Ohio, South Carolina, and Michigan in enacting a new data security law directed at insurers modeled after the National Association of Insurance Commissioners (NAIC) Model Law of National Association of Insurance Commissioners. The Bill will take effect January 1, 2020.

You can expect your own state or country to implement or identical or very similar laws for your own industry. These are best practices to get into use for literally everyone, so check this out.

What are the important facts to take away from this new law?
  • Create a Written Information Security Program: Licensees are now required to create a comprehensive information security program based on the size and complexity of the licensee. Licensees will have to take into account their third-party service providers, sensitivity of the data, and the nature of the licensees’ activities.
  • Incident Response Plan: Each licensee is required to establish an incident response plan designed to respond to and recover from any cybersecurity event that compromises company non public information (such as a successful phishing attack).
  • Board of Directors: The licensee board or appropriate committee of the board are mandated to ensure that executive management develops or delegates the development of the licensee’s written information security program.
Continued at:
Three Lessons from a MegaCortex Ransomware Attack

The MegaCortex strain of ransomware has been used in criminal campaigns targeting businesses as opposed to private individuals. The QuickBooks cloud-hosting firm iNSYNQ, has sustained such an attack, and their infection, response, and recovery makes an instructive story. KrebsOnSecurity has an account of the incident.

It apparently began when a member of the company’s sales staff swallowed a phishing email on or around July 6th. iNSYNQ took its network offline on July 16th, after it realized it was under ransomware attack. Unfortunately it failed to communicate why the network was down or when service would be restored.

Some of its customers complained about being “stonewalled,” adding a public relations problem to the basic security and extortion issues. iNSYNQ’s CEO Elliot Luchansky held a “town hall” last Thursday, August 8th, 2019, in which he sought to bring customers up to speed.

Part of that involved an apology. “We could definitely have been better prepared, and it’s totally unacceptable,” Luchansky said at the town hall. “I take full responsibility for this. People waiting ridiculous amounts of time for a response is unacceptable.”

There was a reason, however, for the stumble. The company had reason to believe that the attackers were monitoring whatever steps iNSYNQ was taking to recover from the attack, and that they would be able to use any communication to further damage the company.

The attackers are thought to have gained access to the company’s internal networks and to have spent about ten days in reconnaissance before they triggered the MegaCortex payload they had delivered. That degree of persistence led iNSYNQ to fear that any communication would have done more harm than good.

The company decided ultimately not to pay the ransom, which it described as “very substantial,” and has now succeeded in restoring more than 90% of access to customer files. iNSYNQ did have backups, but some of the backups were themselves infected.

The MegaCortex criminals ransom demands in other cases have ranged from two to six-hundred bitcoins, or $20 thousand to $5.8 million. There are a few lessons to consider here.
  • First, an organization’s backups must themselves be rendered secure from a ransomware attack.
  • Second, an investment in incident response planning is well-spent.
  • And finally, employee training in recognizing and resisting phishing attempts is vital. New school security awareness training can help any organization raise its resistance to social engineering.
KrebsOnSecurity has the story:
The Shady Side of Reputation Management

Several reputation management companies use disreputable methods to bury their clients’ online footprints, according to Craig Silverman at BuzzFeed News. On the CyberWire’s Hacking Humans podcast this week, Silverman explained that some of these companies create fake personas and spread misinformation to deceive people who try to research their clients.

Silverman cited the particular example of Adrian Rubin, a man who is currently in prison along with his two sons for running payday scams. Rubin’s conviction last year in Philadelphia was fairly high-profile, and many major news organizations covered the story. Silverman discovered, however, that searching for Rubin’s name on the internet turns up at least three full-fledged personas that are very active in posting innocuous content and articles across the internet.

He also identified other fake personas that used the names of Rubin’s sons. “The idea here is to swamp search results on Google and elsewhere with these fake personas in the name,” Silverman explained. “And all of these fake Adrian Rubin personas, they were in the Philadelphia area. So anyone searching for Adrian Rubin, Adrian Rubin from Philadelphia, the idea is that they get these fake personas.

And if Adrian Rubin comes out of jail in, you know, in two years' time or so and he's looking to get started in business again and somebody goes to Google him, well, they're going to find the fake Adrian Rubins, so maybe they don't actually find the criminal history.”

Silverman emphasized that there are good uses for reputation management and there are upstanding companies that offer this service. He believes that the respectable reputation management companies need to start banding together and settling on industry standards to separate the honest players from those who use shady practices.

Silverman advises users to avoid trusting their first impression of people online and to carry out more research than they might be inclined to think is necessary.

“Think about the image,” he said. “Think about the context, and go past those first few pages of Google when you're trying to learn about somebody or a company or something.”

Fraudsters are getting better at using online social engineering tactics. New-school security awareness training can help your employees understand how people can manipulate the Internet to try to trick them. The CyberWire has the story:
What KnowBe4 Customers Say

"Hi Stu, Thank you for reaching out! I could not be happier with KnowBe4. Our Customer Success agent was Toper DiCicco and he was great to work with. In our initial Kick Off call I set the expectation of getting users imported and being ready to train by the end of July – but it was so easy that by the third week of July we had everyone onboarded, a baseline phishing test complete, and about 30% of our users had completed their initial training.

Topher proactively checked in and made sure everything was moving along during the setup, which it was - This was one of the easiest services I have ever rolled out.

I did submit a support ticket regarding implementing SSO and the first reply came from Merlin Durand letting me know that he had taken care of the issue and it was ready to test. The issue was resolved in about 3 hours and with a single email communication. For me, support doesn’t really get any better than that.

The console interface is very easy to use, and the variety of training topics from non-technical to IT Specific is great. I also really like being able to create my own email templates to spear phish my users. My joke in the office is that we need to start a competition to see who can craft an email that gets the most clicks.

Again, I just couldn’t be happier with KnowBe4. We formerly had no kind of Security Awareness program at all and a lot of gullible users clicking links, replying to scams, getting their credentials harvested, etc etc. We are in a MUCH better place now. I’m a fan of KnowBe4 and will definitely recommend it to others!"
- H.J., Network Administrator

"Hi Stu, Thanks for reaching out. So far our experience with KnowBe4 has been very positive both from an administrative perspective as well as from employee feedback. I’ll also add that our support, particularly what we’ve received from Zach Ange, has been nothing short of exceptional. All that to say, we’re still early adopters, but we’re very happy campers. Thanks for the fantastic product."
V.E., Security Administrator

"Thank You for checking in. Jason has been very helpful and really great to work with. It didn’t take a lot of time to get the campaigns set up and running. More importantly, this immediately increased the level of Security Awareness as people began to ask their managers as well as me (outside IT Consultant) when they weren’t sure if an email was legitimate or not. I am pleased and the customer is pleased. I also find the newsletters about what the latest scams that are happening, are very informative."
G.J., IT Consultant.
The 10 Interesting News Items This Week
    1. Delta Sues Vendor for Causing Data Breach:

    2. Financial Phishing Grows in Volume and Sophistication in First Half of 2019:

    3. Black Hat 2019: Addressing Supply-Chain Risk Starts with People, Microsoft Says:

    4. Responding to Firefox 0-days in the wild. Highly sophisticated phishing attack:

    5. The changing face of DDoS attacks: Degraded performance instead of total takedown:

    6. Roger Grimes latest CSO column - Beware Rogue Email Rules and Forms:

    7. City of Saskatoon loses $1 million to CEO fraudster posing as executive:

    8. The Dark Side of Russia: How New Internet Laws and Nationalism Fuel Russian Cybercrime:

    9. Kaspersky AV injected unique ID that allowed sites to track users, even in incognito mode:

    10. Hundreds of Thousands of People Are Using Passwords That Have Already Been Hacked:

    11. BONUS: Most Voters to Consider Candidates' Cybersecurity Records in Future Elections:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Anti-Phishing Guide ebook

Get the latest about social engineering

Subscribe to CyberheistNews