CyberheistNews Vol 9 #49 [Heads-Up] In Just 3 Months, Google Alerted 12,000 People About Phishing Attacks by Nation-States




CyberheistNews Vol 9 #49
[Heads-Up] In Just 3 Months, Google Alerted 12,000 People About Phishing Attacks by Nation-States

Google's Threat Analysis Group (TAG) delivered thousands of alerts of government-backed attempts to spearphish Gmail users over just a three-month period earlier this year.

TAG director Shane Huntley revealed that from July to September 2019 his team sent 12,000 warnings to users in 149 countries. From a heat map attached to the blog post, you can see that most were located in the US, South Korea, Pakistan and Vietnam.

“Over 90% of these users were targeted via ‘credential phishing emails’... attempts to obtain the target’s password or other account credentials to hijack their account,” he added.

“We encourage high-risk users — like journalists, human rights activists, and political campaigns — to enroll in our Advanced Protection Program (APP), which utilizes hardware security keys and provides the strongest protections available against phishing and account hijackings. APP is designed specifically for the highest-risk accounts.”

Google's TAG tracks over 270 targeted and government-backed threat groups across 50+ countries in an attempt to detect a variety of dodgy activities like intel collection, IP theft, targeting of dissidents and activists, destructive cyber-attacks, and spreading coordinated disinformation.

He also detailed efforts to detect and remove coordinated influence operations by Russian state hackers in Africa using “inauthentic news outlets to disseminate messages promoting Russian interests in Africa.” A total of 15 YouTube channels were removed as a result.

Stepping high-risk users through new-school security awareness training is something that KnowBe4 would like to add as an absolute necessity as part of any organization's defense-in-depth strategy. Blog Post with Heat Map:
https://blog.knowbe4.com/google-sent-12k-nation-state-phishing-warnings-in-three-months
[NEW WEBINAR] Spotting the Gaps: Is Your Traditional Security Stack Giving You a False Sense of Security?

Endpoint security, firewalls, VPNs, authentication systems... we’ve all got them. But do they really provide the comprehensive level of security your organization needs to keep the bad guys out? The unfortunate reality is that each of these security layers can provide hackers with a back-door right into your organization.

And we’re going to show you how.

In this exclusive webinar Kevin Mitnick, the World's Most Famous Hacker and KnowBe4's Chief Hacking Officer, and Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, will show you shocking examples of significant vulnerabilities that social engineers and hackers use to circumvent these traditional security layers.

There is no need for a false sense of security. Better defend your network by learning:
  • The 3 most common causes of data breaches
  • Significant vulnerabilities recently discovered in common technologies
  • Kevin’s top tips for security defenders
  • Why security awareness training is a security layer you can’t afford to skip
Kevin will share new hacking demos that will scare the daylights out of you. Find out how to mitigate these risks before it’s too late.

Date/Time: Wednesday, December 11 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/2145200/3615CE183ADC90EA68C783893B4F7FA9?partnerref=CHN1
Click Confessions of a Security Expert

Perry Carpenter, KnowBe4's Chief Evangelist Strategy Officer wrote: "As a “human security” expert, I used to take a lot of pride in my well-honed security hygiene. Yeah… that all ended back in early 2017 when I joined KnowBe4. You see, up until that time, I’d received a number of simulated phishing, attempted real phish, and I’d even run my own simulated phishing programs and done extensive research on how cybercriminals trick us into clicking.

So, there I was feeling pretty confident in my own abilities when the unthinkable happened. I clicked. And it wasn’t just a one-time thing. I clicked on three simulated phishes over a two-month timeframe. I remember the feeling that came over me when I clicked the phish and got the big “Oops” page. I couldn’t believe it. I tried to rationalize and make excuses for myself. I was embarrassed and questioned everything I thought I knew about my so-called expertise.

Let me back-up for a second. Here is one critical piece of information: each of these clicking events was on my mobile device: my phone. On my laptop/desktop, I still managed to ferret-out any simulated phish sent my way — I had great habits that I’d honed over nearly two decades of everyday email use. But I had to face the fact that my mobile mindset and hygiene was lacking.

In each of the three scenarios, I was in a hurry, between errands, and traveling. And, each time, the phish’s pretext felt plausible: a message about an issue with my benefits (remember I was a new employee), a missed call/voicemail notification while traveling, and a fake Google Calendar invite.

After that humbling series of wake-up calls, I decided that I needed to make some drastic changes. I realized that the nature of mobile is inherently difficult. I needed to be much slower and more intentional to check links AND I needed to create a habit for myself to never react to a link in an email on my mobile if there is an app that will allow me to perform that same action (e.g. Ring Central, Google Calendar, LinkedIn, Twitter, etc.). And also, if I’m ever in doubt about an email, I wait until I get to a desktop/laptop before making a judgement as to if the message is safe or is a threat.

This also helps to put me into a different frame of mind and removes a bit of the reactiveness/urgency. Those new habits have helped me remain “click free” ever since (over 2.5 years so far!). So, here are the simple changes I made to clean-up my mobile hygiene." Continued at the KnowBe4 Blog:
https://blog.knowbe4.com/click-confessions-of-a-security-expert
[LIVE DEMO] See Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us TOMORROW, Wednesday, December 4 @ 2:00 pm (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Check out our new assessment feature and see how easy it is to train and phish your users.
  • NEW Assessments! Find out where your users are in both security knowledge and security culture to help establish baseline security metrics you can improve over time.
  • Train your users with access to the world's largest library of awareness training content and automated training campaigns with scheduled reminder emails.
  • Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
  • Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
  • Advanced Reporting on 60+ key awareness training indicators.
  • Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
  • Identify and respond to email threats faster. Enhance your incident response efforts with the PhishER add-on!
Find out how 30,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: TOMORROW, Wednesday, December 4 @ 2:00 pm (ET)

Save My Spot!
https://event.on24.com/wcc/r/2140413/2BCA575A7DA7B836E57C7F0B20270A7A?partnerref=CHN2
Merchant Fined for Failing to Train Employees — Former NYDFS Superintendent Vullo Talks About Cybersecurity Regs

Mark Harrop, Director of Communications, Corporates at Thomson Reuters made me aware of a very interesting interview with Maria Vullo, the former Superintendent of New York’s Department of Financial Services (NYDFS). The posts started out as follows:

"Companies must make cybersecurity a continuous priority as cybersecurity threats evolve and expand, often more quickly than does the technology, regulations, and best practices to counter them.

If corporate leaders do not understand how federal and local cybersecurity laws relate to their business operations, they may be face substantial fines, all while trying to remedy issues of stolen proprietary or client data that often involve remediation costs, lost revenues, litigation costs, and reputation damage.

One regulatory regime that decided it would not wait for the federal government to act or for businesses to merely add sound protective measures over their data and networks after being hacked was New York’s Department of Financial Services (NYDFS).

By examining the cybersecurity regulation the NYDFS put into place — with the last component becoming effective this past March — even businesses not subject to it can learn from its prescriptions and get in front of the growing trend of increased regulatory oversight in this arena. Continued at the KnowBe4 Blog:
https://blog.knowbe4.com/merchant-fined-for-failing-to-train-employees-former-nydfs-superintendent-vullo-talks-about-cybersecurity-regs
See How You Can Get Audits Done in Half the Time at Half the Cost

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

We listened! KCM now has Compliance, Risk, Policy and Vendor Risk management modules, transforming KCM into a full SaaS GRC platform!

Join us TODAY, Tuesday, December 3 @ 2:00 pm (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. See how you can simplify the challenges of managing your compliance requirements across your organization and third-party vendors and ease your burden when it's time for risk assessments and audits.
  • Vet, manage and monitor your third-party vendors' security risk requirements.
  • Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Date/Time: TODAY, Tuesday, December 3 @ 2:00 pm (ET)

Save My Spot!
https://event.on24.com/wcc/r/2140404/57F49900AE90863C9F3995DA7817FF05?partnerref=CHN2

Let's stay safe out there.

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"We must believe that we are gifted for something, and that this thing, at whatever cost, must be attained." - Marie Curie, Physicist and Chemist (1867 - 1934)

"The greater danger for most of us lies not in setting our aim too high and falling short; but in setting our aim too low, and achieving our mark." - Michelangelo, Artist (1475 - 1564)



Thanks for reading CyberheistNews
Security News
Phishing Simulations Should Be Educational, Not Punitive

Phishing training programs need to be focused on educating employees rather than on shaming them, according to David Spark and Allan Alford, co-hosts of the Defense in Depth podcast. On the CyberWire’s Hacking Humans podcast, Spark and Alford said most people don’t have an adequate understanding of social engineering tactics.

“I think it's minimal at most,” Spark said. “I mean, honestly, most people hear little tidbits here and there. But I think the most common thing that is happening is the spearphishing attacks where people know the people to go after within an organization to be able to get the money.”

Alford emphasized that phishing emails have grown much harder to spot, and employees need to be taught to take the circumstances into account rather than just looking for visible warning signs in an email.

“One of the things I always do is I warn them, you know, what are the key signs that it's a bad email?” Alford said. “It used to be in the olden days, you know, oh, oh, bad grammar, and, you know, it's obviously somebody that's scamming me - you know, give money now please. And they don't even spell ‘please’ right, and they don't use a period....

Now it's so much more sophisticated, and so you have to get into the psychological tricks that the bad guys use and incorporate that and get those lessons on the table in your training, right? A false sense of urgency, appealing to your sense of curiosity, appealing to your sense of greed.” Continued:
https://blog.knowbe4.com/phishing-simulations-should-be-educational-not-punitive
The Top Lesson From the Recent Louisiana 2,000-Server Ransomware Infection

The biggest threat to government networks remains users being tricked into clicking on malicious links, according to the commander of the Louisiana National Guard’s cyber protection unit. Major Alan Dunn told StateScoop that the greatest challenge in protecting a network is ensuring users are trained to recognize and avoid suspicious links and attachments.

Louisiana suffered a ransomware attack last week that took down more than two thousand of the state’s computers and servers. The ransomware apparently entered the network after a user downloaded an unauthorized file. This is how most malware attacks occur, because only one user needs to fall for a phishing attempt in order for the attackers to succeed.

“There’s always that one user who gets the email and wants to click on it,” Dunn said. “I’ve got in-laws who do it.”

Dunn emphasized that the vast majority of these attacks could be prevented if users had been trained to recognize phishing attacks. “My thing would be user education, user education, user education,” Dunn said. “It’s users not having the proper education, clicking on the phishing link. That’s 85 to 90 percent of your battle. If people do what they’re supposed to do, you’re going to be secure.”
https://blog.knowbe4.com/the-top-lesson-from-the-recent-louisiana-2000-server-ransomware-infection-user-education
What KnowBe4 Customers Say

"Stu, I appreciate you reaching out. Yes, we've been loving KnowBe4! It was everything I was hoping for in a phishing tool and more. Your folks are awesome, from Denise Larsen walking us through the sales process to Nick Orgera setting me up, training me and answering my questions in a very timely manner. The whole team over there has just been amazing.

I really appreciate everything the platform has to offer. Security awareness across the company has gone up dramatically, everyone is in a good security- oriented mindset, we are catching phishing emails that are making it through Gmail's filters and blacklisting the domains on Gmail thanks to the Phish Alert tool in Outlook (in 2 days I've already blocked 3 obvious phishing domains that our employees have reported.)

We also work closely with Rootworks who handle a lot of our training and technology resources and they recently had a webinar about "3 things to consider before tax season" and Christopher Dickens (CIO) spoke very highly of your platform so it's nice to know others in our industry utilize and appreciate your platform. Have a great rest of your week!"
- S.L., IT Director



KnowBe4 Content in Dozens of Languages

Our new multi-language support and localization page is live and gives you immediate overview of what is available / localized in which language. As we add even more languages, we'll be sure to update!
https://www.knowbe4.com/security-awareness-training-languages
The 10 Interesting News Items This Week
    1. Auditors Uncover Tens of Thousands of Critical Security Gaps At Energy Facilities:
      https://www.nextgov.com/cybersecurity/2019/11/auditors-uncover-tens-thousands-critical-security-gaps-energy-facilities/161539/

    2. New DeathRansom Ransomware Begins to Make a Name for Itself:
      https://www.bleepingcomputer.com/news/security/new-deathransom-ransomware-begins-to-make-a-name-for-itself/

    3. Are Losses Resulting from Phishing Incidents Covered by Crime Policies Insuring Against Computer Fraud?:
      https://www.jdsupra.com/legalnews/are-losses-resulting-from-phishing-29372/

    4. It's Way Too Easy to Get a .gov Domain Name:
      https://krebsonsecurity.com/2019/11/its-way-too-easy-to-get-a-gov-domain-name/

    5. Meet Kilos, a New Search Engine for the Dark Web:
      https://www.securityweek.com/meet-kilos-new-search-engine-dark-web

    6. Barracuda: "Inefficient Response to Email Attacks Costly to Organizations":
      https://www.cutimes.com/2019/09/26/inefficient-response-to-email-attacks-costly-to-organizations-barracuda-networks/

    7. Good ammo for C-level execs at the WSJ, "Rise of the Digital Human" explains deepfakes:
      https://www.wsj.com/video/rise-of-the-digital-human/5CE77198-95C3-48A2-A0B1-FEC376864F19.html?

    8. As Venezuela’s economy struggles, some of its citizens turn to a lucrative gig: Cybercrime:
      https://www.nbcnews.com/tech/tech-news/venezuela-s-economy-struggles-some-its-citizens-turn-lucrative-gig-n1089701

    9. iPhone users warned to be on alert for phishing attacks:
      https://www.stuff.co.nz/business/117674579/iphone-users-warned-to-be-on-alert-for-phishing-attacks

    10. Hackers have reportedly figured out how to reactivate peoples' canceled Netflix accounts and start charging them again for monthly subscriptions:
      https://www.businessinsider.com/netflix-hackers-reactivating-canceled-accounts-2019-11
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2019 KnowBe4, Inc. All rights reserved.



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews