CyberheistNews Vol 9 #35 A State-of-the-Art Spoof (or, "Why Turning Your Users Into Grammar Nazis Won't Keep the Bad Guys Out.")

CyberheistNews Vol 9 #35
A State-of-the-Art Spoof (or, "Why Turning Your Users Into Grammar Nazis Won't Keep the Bad Guys Out.")

Here is a new, short executive summary by Eric Howes, KnowBe4's Principal Lab Researcher of the trusted online services we’ve seen recently exploited in phishing emails recently, as well as a look at a dangerous phish that spoofs Microsoft OneDrive in a very slick fashion.

"Malicious actors are becoming very skilled at exploiting popular online services that enjoy the familiarity and trust of millions of users. And the phishing emails landing in users' inboxes are, likewise, becoming ever more dangerous and difficult to detect.

In some cases the bad guys use compromised accounts at popular online services to host and distribute their malicious files. Here's a short list of well-known services/brands we've recently seen exploited in this fashion:
  • Microsoft OneDrive/Sharepoint
  • Google Docs
  • Dropbox
  • WeTransfer
  • Constant Contact (
  • Evernote
We could add to the above list at least a half-dozen other, smaller file-sharing services. (Note that we make no claims that the above is a complete list -- just a list of those services we happen to see commonly exploited in phishing emails reported to us by customers using the Phish Alert Button, or PAB.) Continued:
Lateral Phishing Affects One in Seven Organizations

A survey by Barracuda found that one in seven organizations experienced lateral phishing attacks over the course of seven months, and that 42% of these attacks were not reported by recipients.

Lateral phishing is a type of attack that often follows email account takeover. After an attacker has successfully hacked one email account at an organization, they can use that account to send phishing emails to the victim’s co-workers. Since the emails are sent from an internal account, they’re usually trusted by security filters as well as recipients.

Barracuda says 63% of these attacks involved generic phishing lures that referenced account errors or claimed that a co-worker has shared a document.

30% of the incidents used more targeted templates that were relevant to a corporate environment. In 7% of the attacks, the attackers crafted highly targeted emails that were tailored to the specific organization. Additionally, some of the attackers would personally interact with their targets.

Attackers actively responding to users asking if this is legit

“Often, recipients of the lateral phishing emails replied to the hijacked account to ask whether the email was legitimate or intended for them,” Barracuda’s report says. “Across 17.5 percent of the hijacked accounts we studied, attackers actively responded to their recipients’ inquiries to assure the victim that the email was legitimate and safe to open (e.g., ‘Hi [Bob], it’s a document about [X]. It’s safe to open. You can view it by logging in with your email address and password.’).” Continued with links here:
[LIVE DEMO] Identify and Respond to Email Threats Faster with PhishER

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic... can present a new problem!

With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?

Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!

See how you can best manage your user-reported messages.

Join us, TODAY, Tuesday, August 27 @ 2:00 pm (ET), for a live 30-minute demo of the PhishER platform and a first look at PhishML, a new machine-learning module now available in the PhishER platform.

With PhishER you can:
  • *NEW* Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s new machine-learning module
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • See clusters of messages to identify a potential phishing attack against your organization
  • Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Find out how adding PhishER can be a huge time-saver for your Incident Response team.

Date/Time: TODAY Tuesday, August 27 @ 2:00 pm (ET)

Save My Spot!
Is the Ransomware Debate Over? To Pay or Not to Pay, the Conference of Mayors Made up Its Mind

It's a very hot topic, with 23 cities in Texas all becoming the victim of a coordinated ransomware attack last week.

The long-standing argument over whether or not to pay may have come to an end, with a resolution from the U.S. Conference of Mayors calling on cities to not pay.

Unless you’ve been under a rock, you’ve heard the reasons for and against paying the ransom demand during a ransomware attack. Those for paying the ransom cite lower remediation costs (as would have been the case in the recent City of Baltimore attack, which will cost the city over $18M compared to the initial ransom of just $76K), and faster remediation time (the average ransomware attack spans 9.6 days). It’s been demonstrated that decryption keys provided upon payment of the ransom work to decrypt anywhere from 87%-100% of the encrypted data.

Those against paying cite that this will only incentivize more attacks from more cybercriminals and won’t guarantee an ability to recover. I’d add that just because you’ve got the decryption key, doesn’t mean that you’ve rid your environment of any additional malware that made it through either.

The resolution, sponsored by Baltimore mayor, Jack Young, establishes that the conference of mayors vehemently opposes paying the ransom. Continued here with three hints to prevent ransomware disaster, and a link to the HackBusters discussion forum where you can voice your opinion and listen to your peers:
[Last Chance] Which of Your Users Put You at Risk? Find Out for a Chance to Win!

Almost every day we learn about a new data breach. This creates a very important need to address disclosed breaches. Do you know which of your users has put your organization at risk?

KnowBe4’s Password Exposure Test (PET) is a complimentary IT security tool that allows you to run an in-depth analysis of your organization’s hidden exposure risk associated with your users.

PET makes it easy for you to identify users with exposed emails publicly available on the web, and checks your Active Directory to see if they are using weak or compromised passwords that are part of a known data breach. PET then reports on any user accounts affected so you can take action immediately!

Plus, if you’re in the US or Canada, you will be entered for a chance to win a $500 American Express gift card.*

Get your results in a few minutes! You are probably not going to like what you see.

Find Your Weakness!

*Terms and conditions apply.
Get Your Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments is a continuous problem.

We listened! KCM now has Compliance, Risk, Policy and Vendor Risk Management modules, transforming KCM into a full SaaS GRC platform!

Join us, Tuesday, September 10 @ 2:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements and ease your burden when it's time for risk assessments and audits.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: Tuesday, September 10 @ 2:00 PM (ET)

Save My Spot!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: We've been named a finalist for the 2019 Computing Security Awards in the UK. If you could take 30 seconds and vote for us, I'd highly appreciate it! Thanks in advance:
Quotes of the Week
"I would rather be exposed to the inconveniences attending too much liberty than those attending too small a degree of it." - Thomas Jefferson

"The natural desire of good men is knowledge." - Leonardo da Vinci

Thanks for reading CyberheistNews
Security News
Scammers Impersonate Real Help Desks Via Search Results

Scammers are buying ads to push fraudulent customer support call center numbers to the top of search results, according to Naked Security. The scams are set up to impersonate major companies, so people who end up calling the scammers’ numbers believe they’re talking to a customer service desk. Voice assistants seem particularly vulnerable to hoodwinking.

As a result, the Better Business Bureau (BBB) has warned that people shouldn’t use voice assistants to look up and call phone numbers online. When smart devices like Siri, Alexa, or Google Home search for a phone number, the user can only trust that the device will choose the correct one.

The BBB describes a recent case in which a woman tried to use a voice command to call her airline’s customer service line in order to change her seat on a flight. The voice assistant accidentally connected her to a scammer who tried to convince her that the airline was running a special offer, telling her she only had to pay $400 in prepaid gift cards.

While voice assistants are especially susceptible to choosing the wrong phone number, humans can easily fall for this as well. The BBB recommends that people go to a company’s official website to find a customer support number, rather than relying on the number offered by the search engine.

New-school security awareness training can enable your employees to be mindful of how they come into contact with people over the phone or Internet. Naked Security has the story:
Secure Backups Are the Key to Fighting Ransomware

Secure backups are the primary countermeasure to ransomware attacks, according to Michael Gillespie at Emsisoft. On the CyberWire’s Hacking Humans podcast, Gillespie explained that backups can neutralize a ransomware attacker’s leverage over their victims.

“There's basically two factors in terms of why ransomware still even is a thing,” Gillespie said. “If everyone had proper backups, ransomware would never have been a thing—just simple as that. There'd be no profit for it because everyone would just be like, hit the restore button. That's how it should be. The second factor, of course, is the whole controversy of paying the bad guys. That's what keeps them going. But there'd be no reason to pay them if you had backups.”

Gillespie added that backup services have gotten cheaper and easier to use with the rise of cloud storage, which can be useful for organizations that operate on tight budgets. Backups that are stored offsite with no connection to the primary network can thwart attackers who try to locate and encrypt your backups.

“That is definitely a reason that you should have an offsite backup, such as a cloud backup,” he said. “Most good cloud backups - I know for certain Carbonite, Dropbox and Google Drive have a revision system, where, for example, if you get hit by ransomware and it uploads your encrypted files and overwrites your backup.”

Backups are an extremely important security measure, but they need to be kept secure. If your backups are stored in the cloud, it’s imperative that your cloud access doesn’t get compromised. Additionally, you can usually avoid the hassle of having to restore from backups in the first place if your employees can identify phishing attempts. New-school security awareness training can help you cover all of your bases by teaching your employees the importance of keeping secure backups while helping them avoid falling for phishing attacks. The CyberWire has the story:
Blank Emails Come Before BEC

Business email compromise has its reconnaissance phase, too. Researchers at Agari say they’ve found that blank, unsolicited emails are often an early sign that a BEC gang is targeting an organization. It serves as a probe to help validate that an email address is likely to be valid, and to be associated with a target the gang in interested in.

Agari’s blog outlines four links in the BEC “attack chain.” They are, in chronological order, “Target Generation,” “Lead Validation and Processing,” “Pre-Attack Testing,” and “BEC Attack.” The blank email arrives in the second link. The BEC gang wants a reasonable assurance that its attack will arrive in a live email box.

If the blank email, often with only the single letter “i” as its subject, does not bounce, then the criminals proceed with more confidence that they have found a live target.

When they speak of gangs, the researchers mean organized groups of BEC scammers, many of them based in Nigeria and known by such names as “London Blue,” “Scarlet Widow,” and “Curious Orca.” While some of these groups use legitimate lead gen services to verify their targets’ email addresses, Curious Orca’s probing is typically done manually, and they are said to be quite practiced at it.

“Since August 2018, a single Curious Orca associate has sent blank recon emails to more than 7,800 email addresses at over 3,200 companies in at least twelve countries,” Agaris’s blog post said. “The validated contact information collected by this actor has contributed to a master targeting database containing more than 35,000 financial controllers and accountants at 28,000 companies around the world.”

One protective step Agari recommends is to configure inbound email filters to screen for messages without content. These could then be flagged to a security team for further investigation, and for a timely warning to the targeted individual.

That said, the blank email is also the sort of probe that employees should be aware of. Maybe it was a mistake. Maybe someone just transmitted prematurely. But it would not be out of order for people who receive a blank email to raise their guard. New-school security awareness training is the sort of protective measure that raises awareness of BEC lead validation, and of other steps in social engineering as well. Agari has the story:
What KnowBe4 Customers Say

"Stu, thank you for reaching out. In short, yes, we are happy campers. I suspect that what’s really important to you is WHY are we happy. I’ll take a moment to outline that, just as your staff has been forthcoming in supporting us.

Matthew Gleason was an outstanding salesperson. He listened to our needs, our schedule, our plans and our constraints. He worked patiently to be ready to respond to us when we were ready to go and when we were able to fit this into both our budget and our schedule.

At all times, he comported himself as a partner with us and a solution to our needs and never made us feel that he was working to close a deal on a deadline to earn a commission. He was all about helping us and meeting our needs. I encourage you to keep Matt.

Alexis Miske responded quickly to initial configuration and set up requests. Steve Donze was proactive throughout. He was a great resource to one of my summer interns who built and deployed our program. Furthermore, Steve keep an eye on our implementation and proactively suggested improvements and ways to leverage the capabilities beyond what we were doing organically so that we would have superior outcomes.

Stu – I think that you can see that all of my comments are about people and their interaction with us. We value that. Your people projected a supportive and helpful aura and that makes a difference. Of course, we also have leveraged many of the features of your solution (AD integration, automated campaigns and “smart” consequences, etc.), but it is your people who make a difference and result in your solution standing out. Thanks for checking in."
- S.J., Chief Technology and Innovation Officer

"Hi Stu, your product is phenomenal and the support through the onboarding process has been terrific. Our rep Jim Leuze an excellent resource in helping us understand all the ways to utilize KnowBe4’s platform, has been extremely responsive when we’ve ran into roadblocks and taught us the best practices for the training phishing campaigns. I’m telling you, I couldn’t happier with the product and help I’ve received in setting it up from Jim (and I want to be clear, I don’t know Jim in real life or have connection to him prior to signing up with KB4). I’m recommending it to every customer we have when appropriate and fully expect to have a several more hundred seats signing up here by the end of the year for training.

You have an excellent staff and product, very satisfied and plan incorporate your training platform as part of our suggested security strategies for all clients going forward. So far our pilot client has been happy with the product and already I’m seeing less tickets related to spam from their company."
- J.R., Channel partner
The 10 Interesting News Items This Week
    1. IRS Reminds Taxpayers They Do Not Send Unsolicited Emails:

    2. KnowBe4 Applauds Proposed Legislation for Cybersecurity Training Requirement for U.S. House Members:

    3. Georgia Gov. Kemp Orders Cybersecurity Training For State Employees After Crippling Attacks:

    4. Interesting Microsoft article on why password complexity does not matter:

    5. Guy interviews phone scammer and learns about the operations. Pretty cool stuff:

    6. Chinese Cyberspies Continue Targeting Medical Research Organizations:

    7. Justice Department indicts 80 individuals in a massive business email scam bust:

    8. The Apple Card Difference: Security?:

    9. Portland school system [bankers] "stop" $2.9M BEC scam:

    10. OpenAI Just Released a New Version of Its Scary Fake News-Writing AI:

    11. Adult Content Site Exposed Personal Data of 1M Users:

    12. BONUS WEEKEND READING: What Is Cyberwar? The Complete WIRED Guide:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Weak Password Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews