CyberheistNews Vol 9 #45 [Heads-Up] Scam of the Week: Phishing Attacks Using Better Benefits and Pay Raise Bait

CyberheistNews Vol 9 #45
[Heads-Up] Scam of the Week: Phishing Attacks Using Better Benefits and Pay Raise Bait

Worldwide, millions of employees use KnowBe4's Phish Alert Button to report suspect emails, and thousands of organizations share these reports with us.

This has become a fascinating threat source, because these phishy emails have made it through all the filters. We see pretty much real-time what the bad guys are up to and which campaigns are live in the wild. So here is the latest Scam of the Week.

Bad guys are now capitalizing on the benefits election/enrollment season and the yearly pay raise process which usually goes into effect Jan 1st. The criminals are still improving their game, these benefits and pay-themed phishing emails are not quite as convincing as the recent tax-themed phishing attacks.

However, you and your users need to be aware of the pay raise and benefits enrollment phishes that have been reported to us by customers using the Phish Alert Button (PAB) over the past several weeks, most of which are front doors to credential phishes. Some of them are simply bad, but some are quite creative and take the shape of a personalized benefits survey.

Another form is a phish where your users are invited by their "HR department" to check out their pay increase "as part of a larger organization-wide effort to raise salaries". The phish has a link that leads to a credentials phishing landing page but looks like a SharePoint document.

I suggest you send the following to your employees, friends and family. Feel free to copy/paste/edit:

ALERT: Internet criminals are now sending phishing attacks related to benefits enrollment and potential pay raises. So, when you get any email or perhaps even a robo-call from "HR" about your "2020 benefits" or "next year pay raise", do not click or open any attachments, but report these suspects email to the IT department. In case you have questions about your benefits or pay, pick up the phone call the HR department using the regular, correct extension.

NEVER click on any link in these emails, or "reply" and attach personal information because both the "From" and the "Reply" email address may be spoofed and you would send confidential information to criminals. Think Before You Click.

Here is the blog post with example screenshots and links:
[WEBINAR TODAY] See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments is a continuous problem.

We listened! KCM now has Compliance, Risk, Policy and Vendor Risk Management modules, transforming KCM into a full SaaS GRC platform!

Join us, TODAY, November 5 @ 2:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements across your organization and third-party vendors and ease your burden when it's time for risk assessments and audits:
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with 80+ pre-built requirements templates for the most widely used regulations.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: TODAY, November 5 @ 2:00 PM (ET)

Save My Spot!
[Heads-Up] North Korean Malware Found on Indian Nuclear Plant's Network

I am not a happy camper. This is exactly why I have been insisting on security awareness training for employees at critical infrastructure organizations. This could have been a real-life Halloween horror story.

The malware infected only their admin network, which is air-gapped from the power plant network—and could even be accidental—but.... Natanz/STUXnet anyone?

ZDNet broke the news: "The network of one of India's nuclear power plants was infected with malware created by North Korea's state-sponsored hackers, the Nuclear Power Corporation of India Ltd (NPCIL) confirmed today.

Pukhraj Singh, a former security analyst for India's National Technical Research Organization (NTRO), pointed out that a recent VirusTotal upload was actually linked to a malware infection at the KNPP.

The particular malware sample included hardcoded credentials for KNPP's internal network, suggesting the malware was specifically compiled to spread and operate inside the power plant's IT network. Several security researchers identified the malware as a version of Dtrack, a backdoor trojan developed by the Lazarus Group, North Korea's elite hacking unit. Continued:
[LIVE EVENT TOMORROW] See Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, November 6 @ 2:00 pm (ET), for a live demo of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a FIRST LOOK at our new assessment feature and see how easy it is to train and phish your users.
  • NEW Assessments! Find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
  • Identify and respond to email threats faster. Enhance your incident response efforts with the PhishER add-on!
Find out how 29,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, November 6 @ 2:00 pm (ET)

Save My Spot!
Ransomware Attack Causes School 'District-Wide Shutdown'

A ransomware attack hitting Las Cruces Public Schools forced the district to shut down the entire computer system to contain the infection. Exchanging information between schools got impaired as email and other forms of computer-based communication was no longer possible.

Swift Action Did Not Save the Day

The district activated the crisis response team and is now working to restore critical services. It is unclear at this point how long the systems will be down. The IT department discovered early last Tuesday morning that some servers were compromised by ransomware and reacted quickly by shutting down the entire computer network of the district.

In the meantime, communication with schools in the district is done via phones and handheld radio stations. Although the incident is serious, schools remained open and their activity follows the normal schedule, classes are not being disrupted.

"At this time we do not believe staff or student data has been breached or compromised," district officials said in a statement for Las Cruces Sun News. Story continued at BleepingComputer:
[NEW WEBINAR] Third-Party Phishing: The New Spear-Phishing Attacks That Traditional Defenses Just Don’t Stop

Joe in accounting is pretty cyber-savvy. He doesn’t fall for basic phishing emails with masked URLs or phony password reset requests. But what happens when Joe gets an email from a trusted third-party vendor disputing a recent payment and demanding action? If that third-party vendor has been compromised it could very well be the bad guys sending Joe a spear-phishing attack from the vendor’s domain. And if it is, you could be in trouble. Big trouble...

Because third-party phishing attacks look like legitimate emails from your vendors’ domains, traditional defenses often don't work against them or they are severely weakened. Your only defense is a strong human firewall. Find out how third-party phishing attacks operate, how you can spot them, and learn what defenses do and don't work against them.

Join Roger Grimes, KnowBe4’s Data-Driven Defense Evangelist, to see:
  • Real third-party phishing schemes
  • Why traditional defenses won’t stop them
  • Ways to identify a third-party attack
  • How to build a strong human firewall
  • Actionable steps you can take now to protect your network
Date/Time: Thursday, November 21st @ 2:00 PM (ET)

Save My Spot!

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

PS: KnowBe4 is now officially FedRAMP Authorized. This is actually a big deal because we're the first and only security awareness training and simulated phishing provider to receive this status. Read all about it:
Quotes of the Week
"The greatness of a man is not in how much wealth he acquires, but in his integrity and his ability to affect those around him positively." - Bob Marley - Musician (1945 - 1981)

"It is literally true that you can succeed best and quickest by helping others succeed."
- Napoleon Hill - Author (1883 - 1970)

Thanks for reading CyberheistNews
Security News
SAVE THE DATE!! KnowBe4 User Conference - April 15-17, 2020

KB4-Con is designed for CISOs, security awareness training program admins and InfoSec professionals. 2020 will be here before you know it, so start planning what conferences you want to attend now.

KnowBe4’s third annual KB4-Con user conference will be held April 15-17, 2020 at the Gaylord Palms Resort & Convention Center in Orlando, FL. KnowBe4 customers get two free event passes per organization! Additional customer attendees are welcome for a fee.

Conference registration will open later this quarter. Stay Tuned!

*Flight and hotel are not included.
National Cybersecurity Awareness Month Is Over... Now What?

As we wrap up the 2019 National Cyber Security Awareness Month (NCSAM), let’s all agree that our work is not done. As a matter of fact, it’s far from being done. If we are really honest with ourselves, I would even go so far as to say that we have continued to lose ground in the battle against cyber criminals. Why would I say such a thing? Well, it’s the simple truth.

Year after year, the losses become greater, the impact of cyber attacks becomes more significant and thanks to countless breaches, our private data becomes less private. Remembering back, my first memorable cyber incident was the “Melissa” virus back in 1999. This was a mass-email virus spread in a Word Macro that sent itself to the first 50 contacts in Outlook. I was in a hallway meeting with my coworkers when all of our 2-way pagers (yes, I’m that old) all went off at the same time. After reading the first couple of lines of the message, I made a run for the Exchange server and unplugged the network cable.

While the virus was not particularly damaging in itself, the load it put on my server caused it to crumble like a tower of Jenga blocks, which in turn, caused a ton of file corruption and sent me to the backup tapes. Between restoring the server and cleaning up the queued messages on the endpoints, I ended up spending about 26 hours fixing the issues. I thought it was bad. It felt like it was really bad.

Compared to the things we are seeing today, that was a just minor inconvenience. Continued:
Phishing in Office 365's Pond

Heimdal Security has come across a phishing campaign that uses compromised accounts to target Microsoft users. The attackers use email and social media accounts they’ve already breached to send malicious links to the hacked accounts’ contacts, so the targets receive the phishing messages from someone they trust.

For example, one of Heimdal’s employees received a message from one of their LinkedIn contacts. The messages contain business-related attachments that redirect users to a spoofed Microsoft Office 365 login portal, which has been set up to steal credentials. The page is identical to Microsoft’s real login page, but Heimdal notes that the URL is not even close to Microsoft’s, which should tip off observant users.

The first domain was iradistribution[.]sofiatsola[.]com, and the second is markaldriedgehomes[.]com. Heimdal notes that most cybersecurity solutions still don’t flag these sites as malicious. Both of the phishing domains Heimdal identified were modified five months ago, indicating that this campaign has probably been running for a while.

The company expects to see more of these domains pop up in the coming weeks. Heimdal recommends a combination of technical and human defenses to fight these attacks. DNS traffic filtering technology can help block malicious sites, and new-school security awareness training can teach your employees how to identify and thwart the attacks that get through. Heimdal Security has the story:
What KnowBe4 Customers Say

"Stu, As an IT Manager who is tasked with ensuring that all employees receive relevant IT security awareness training, I would like to express my sincere gratitude to you and your company with providing the video campaign called the ‘Inside Man.’ Rather than being the thorn in everyone’s side by forcing employees to sit through dry and uninteresting speeches about spoofing and phishing,

I actually received many accolades for the story that was presented in those videos. This is a landmark in all my years of IT management where training was deemed to be enjoyable by so many, and that means that they were paying attention. As a result, the message has a far better chance being understood. Thank you for the excellent content, and I hope there is more videos like this available in the coming years."
- K.R., Systems Manager

[NEW FEATURE] KnowBe4 Assessments Help Gauge Proficiency of Your Users

You can now test your users' security awareness proficiency and also their sentiment towards your security culture. Quite a few powerful features!

The KMSAT October Content and Feature Product Update came out this week:

It's posted on our blog, all kinds of good stuff:
The 10 Interesting News Items This Week
    1. Facebook has made a tool to trick facial recognition systems:

    2. Cyber attack on Asia Pacific ports could cost $110bn -- Lloyd's List:

    3. "50 years ago, I helped invent the internet. How did it go wrong?":

    4. Johnson City replacing nearly 300 computers after ransomware attack:

    5. Russia officially introduced a 'sovereign internet' law to let Putin cut off the entire country from the rest of the web:

    6. Agari's much-anticipated quarterly email security trends report came out:

    7. Chinese Cyberspies Use New Malware to Intercept SMS Traffic at Mobile Operators:

    8. Phishers strike at mobile wellness app company:

    9. Ransomware with a difference as hackers threaten to release city data:

    10. Check out this 2-minute video of the super-handy (and free) Mailserver Assessment Tool which saves you oodles of time:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews