CyberheistNews Vol 9 #50
[Heads Up] Iran Has Launched Evil New Malware That Wipes Your Windows Workstations 
IBM warns that Iran’s state-sponsored hackers have deployed a new strain of malicious wiper malware, which has been aimed at the “industrial and energy sectors” in the Middle East but you can expects that to expand worldwide.
No specific companies have been identified, but there’s no surprise in the nature of the attack. For Iran, its ongoing hybrid conflict with the U.S. and its allies has made these sectors a target. IBM has attributed the latest “destructive attacks” to Iran’s hyperactive APT34 “and at least one other group, [also] likely based out of Iran.”
APT34 has hit the headlines a few times this year, including with a phishing attack using LinkedIn. But it’s the identity of that “one other group” that’s arguably more interesting. The sectoral targets and use of wiper malware points towards Iran’s APT33, arguably the best known of its threat actors.
This is the group behind the Microsoft Outlook exploit in July, prompting a U.S. government warning, and which deployed its own VPN to veil “aggressive attacks” on U.S. and Middle East targets in the oil and gas sector.
APT33 was also behind the infamous 2012 Shamoon attack on Saudi Aramco, an attack which erased the data on most of the company’s 20,000 computers. Full story with links:
https://blog.knowbe4.com/heads-up-iran-has-launched-evil-new-malware-that-wipes-your-windows-workstations
IBM warns that Iran’s state-sponsored hackers have deployed a new strain of malicious wiper malware, which has been aimed at the “industrial and energy sectors” in the Middle East but you can expects that to expand worldwide.
No specific companies have been identified, but there’s no surprise in the nature of the attack. For Iran, its ongoing hybrid conflict with the U.S. and its allies has made these sectors a target. IBM has attributed the latest “destructive attacks” to Iran’s hyperactive APT34 “and at least one other group, [also] likely based out of Iran.”
APT34 has hit the headlines a few times this year, including with a phishing attack using LinkedIn. But it’s the identity of that “one other group” that’s arguably more interesting. The sectoral targets and use of wiper malware points towards Iran’s APT33, arguably the best known of its threat actors.
This is the group behind the Microsoft Outlook exploit in July, prompting a U.S. government warning, and which deployed its own VPN to veil “aggressive attacks” on U.S. and Middle East targets in the oil and gas sector.
APT33 was also behind the infamous 2012 Shamoon attack on Saudi Aramco, an attack which erased the data on most of the company’s 20,000 computers. Full story with links:
https://blog.knowbe4.com/heads-up-iran-has-launched-evil-new-malware-that-wipes-your-windows-workstations
Why You Need to Check Your Email Attack Surface Again - New Breach Data Sources
Data breaches are getting bigger, the bad guys are getting more cunning, and the amount of compromised data is unfortunately continuing to rise. Detecting your organization’s vulnerability to data breaches is directly proportional to how big your email attack surface is. The more email addresses and identities exposed on the internet, the easier it is for hackers to launch social engineering, spear phishing and ransomware attacks on your users.
Find out your email attack surface now with the NEW version of KnowBe4’s Email Exposure Check Pro (EEC). EEC Pro continues to identify your at-risk users by crawling business social media information and now thousands of breach databases.
Using new breach intelligence from SpyCloud, EEC Pro leverages one of the largest and most up-to-date breach data sources to help you find even more compromised accounts that have been exposed in the most recent data breaches - fast.
With the largest collection of recovered breach data in the world, with nearly 80 billion records, SpyCloud gives EEC Pro users a great tool to stay ahead of account takeovers.
The EEC Pro is done in two stages:
Get Your new EEC Pro Report in Less Than 5 Minutes! It’s often an eye-opening discovery.
https://info.knowbe4.com/email-exposure-check-pro-chn
Data breaches are getting bigger, the bad guys are getting more cunning, and the amount of compromised data is unfortunately continuing to rise. Detecting your organization’s vulnerability to data breaches is directly proportional to how big your email attack surface is. The more email addresses and identities exposed on the internet, the easier it is for hackers to launch social engineering, spear phishing and ransomware attacks on your users.
Find out your email attack surface now with the NEW version of KnowBe4’s Email Exposure Check Pro (EEC). EEC Pro continues to identify your at-risk users by crawling business social media information and now thousands of breach databases.
Using new breach intelligence from SpyCloud, EEC Pro leverages one of the largest and most up-to-date breach data sources to help you find even more compromised accounts that have been exposed in the most recent data breaches - fast.
With the largest collection of recovered breach data in the world, with nearly 80 billion records, SpyCloud gives EEC Pro users a great tool to stay ahead of account takeovers.
The EEC Pro is done in two stages:
- Does deep web searches to find any publicly available organizational data.
- Finds any users that have had their account information exposed in any of several thousand breaches.
Get Your new EEC Pro Report in Less Than 5 Minutes! It’s often an eye-opening discovery.
https://info.knowbe4.com/email-exposure-check-pro-chn
You Can’t Always Trust a Dot-Gov Domain
It may be easier than one thinks to register a dot-gov domain, according to KrebsOnSecurity. People have tended to regard URLs with the top-level domain dot gov as generally reliable, but this may need to change.
KrebsOnSecurity says it “received an email from a researcher who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a ‘.us’ domain name, and impersonating the town’s mayor in the application.”
The US General Services Administration (GSA) is responsible for managing dot gov top-level domain registration, and the experimenter received the domain he asked for. The researcher chose Exeter, Rhode Island, for the “thought experiment,” and it appears that the US General Services Administration (GSA) did not contact the town to verify that the request came from them until some days after KrebsOnSecurity informed the GSA that they may have a problem.
We are accustomed to seeing government offices and agencies impersonated with a plausible name that comes with a dot-com top-level domain. A famous one about a decade ago was whitehouse dot com, which led to an adult site, and not to the President of the United States, whose domain of course is whitehouse dot gov.
The giveaway in that case was the dot com top-level domain. But the experiment KrebsOnSecurity reports suggests that it may be disturbingly easy to spoof a dot gov domain: it appears that, at the time of the posting, houston .gov, losangeles .gov, newyorkcity .gov, and philadelphia .gov were all available.
Both GSA and the Cybersecurity and Infrastructure Security Agency (CISA) are investigating, and looking into ways of tightening domain registration. We urge everyone not to attempt this kind of experiment on their own, since it amounts to wire fraud, but the incident should open our eyes to fresh possibilities of social engineering.
As fraudsters advance in cunning and ingenuity, new-school security awareness training becomes even more important to arm your employees with the healthy skepticism every organization needs to stay safe. KrebsOnSecurity has the story:
https://krebsonsecurity.com/2019/11/its-way-too-easy-to-get-a-gov-domain-name/
It may be easier than one thinks to register a dot-gov domain, according to KrebsOnSecurity. People have tended to regard URLs with the top-level domain dot gov as generally reliable, but this may need to change.
KrebsOnSecurity says it “received an email from a researcher who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a ‘.us’ domain name, and impersonating the town’s mayor in the application.”
The US General Services Administration (GSA) is responsible for managing dot gov top-level domain registration, and the experimenter received the domain he asked for. The researcher chose Exeter, Rhode Island, for the “thought experiment,” and it appears that the US General Services Administration (GSA) did not contact the town to verify that the request came from them until some days after KrebsOnSecurity informed the GSA that they may have a problem.
We are accustomed to seeing government offices and agencies impersonated with a plausible name that comes with a dot-com top-level domain. A famous one about a decade ago was whitehouse dot com, which led to an adult site, and not to the President of the United States, whose domain of course is whitehouse dot gov.
The giveaway in that case was the dot com top-level domain. But the experiment KrebsOnSecurity reports suggests that it may be disturbingly easy to spoof a dot gov domain: it appears that, at the time of the posting, houston .gov, losangeles .gov, newyorkcity .gov, and philadelphia .gov were all available.
Both GSA and the Cybersecurity and Infrastructure Security Agency (CISA) are investigating, and looking into ways of tightening domain registration. We urge everyone not to attempt this kind of experiment on their own, since it amounts to wire fraud, but the incident should open our eyes to fresh possibilities of social engineering.
As fraudsters advance in cunning and ingenuity, new-school security awareness training becomes even more important to arm your employees with the healthy skepticism every organization needs to stay safe. KrebsOnSecurity has the story:
https://krebsonsecurity.com/2019/11/its-way-too-easy-to-get-a-gov-domain-name/
[NEW WEBINAR] Kevin Mitnick Presents: Is Your Traditional Security Stack Giving You a False Sense of Security?
Endpoint security, firewalls, VPNs, authentication systems… we’ve all got them. But do they really provide the comprehensive level of security your organization needs to keep the bad guys out?
The unfortunate reality is that each of these security layers can provide hackers with a back-door right into your organization. And we’re going to show you how.
In this exclusive webinar Kevin Mitnick, the World's Most Famous Hacker and KnowBe4's Chief Hacking Officer, and Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, will show you shocking examples of significant vulnerabilities that social engineers and hackers use to circumvent these traditional security layers.
A false sense of security is dangerous. Better defend your network by learning:
Find out how to mitigate these risks before it’s too late.
Date/Time: TOMORROW, Wednesday, December 11 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/2145200/3615CE183ADC90EA68C783893B4F7FA9?partnerref=CHN2
Endpoint security, firewalls, VPNs, authentication systems… we’ve all got them. But do they really provide the comprehensive level of security your organization needs to keep the bad guys out?
The unfortunate reality is that each of these security layers can provide hackers with a back-door right into your organization. And we’re going to show you how.
In this exclusive webinar Kevin Mitnick, the World's Most Famous Hacker and KnowBe4's Chief Hacking Officer, and Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, will show you shocking examples of significant vulnerabilities that social engineers and hackers use to circumvent these traditional security layers.
A false sense of security is dangerous. Better defend your network by learning:
- The 3 most common causes of data breaches
- Significant vulnerabilities recently discovered in common technologies
- Kevin’s top tips for security defenders
- Why security awareness training is a security layer you can’t afford to skip
Find out how to mitigate these risks before it’s too late.
Date/Time: TOMORROW, Wednesday, December 11 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/2145200/3615CE183ADC90EA68C783893B4F7FA9?partnerref=CHN2
Netflix "Account Freeze" Phishing Campaign in the Wild
A Netflix phishing scam is going after users’ payment information and Netflix credentials, according to Naked Security. The phishing emails inform recipients that they’ve missed a payment and they’ll need to login and fix their billing information to resolve the issue.
To get through your email filters, the emails themselves contain some glaring typos and grammatical issues, including repeated misspellings of “invoice” as “invoce,” and the phrase “you local bank being held a transaction.”
The phishing site itself is more convincing, however. The scammers took the time to obtain a valid HTTPS certificate, and they’ve hosted the site on a subdomain with a very long URL consisting of random characters. As a result, the primary domain is pushed out of sight in the browser bar, so the user doesn’t realize they aren’t on netflix.com.
The login page looks perfectly legitimate, as does the page to enter payment card details. The scammers made another mistake, however, by including an intermediate page that asks users how they want to pay their bill in order to “resrtart” their membership. This page offers a number of options, including one to purchase gift cards. The option to buy gift cards is inexplicably written in French, unlike the rest of the page. Remind your users. More detail:
https://blog.knowbe4.com/netflix-account-freeze-phishing-campaign-in-the-wild
A Netflix phishing scam is going after users’ payment information and Netflix credentials, according to Naked Security. The phishing emails inform recipients that they’ve missed a payment and they’ll need to login and fix their billing information to resolve the issue.
To get through your email filters, the emails themselves contain some glaring typos and grammatical issues, including repeated misspellings of “invoice” as “invoce,” and the phrase “you local bank being held a transaction.”
The phishing site itself is more convincing, however. The scammers took the time to obtain a valid HTTPS certificate, and they’ve hosted the site on a subdomain with a very long URL consisting of random characters. As a result, the primary domain is pushed out of sight in the browser bar, so the user doesn’t realize they aren’t on netflix.com.
The login page looks perfectly legitimate, as does the page to enter payment card details. The scammers made another mistake, however, by including an intermediate page that asks users how they want to pay their bill in order to “resrtart” their membership. This page offers a number of options, including one to purchase gift cards. The option to buy gift cards is inexplicably written in French, unlike the rest of the page. Remind your users. More detail:
https://blog.knowbe4.com/netflix-account-freeze-phishing-campaign-in-the-wild
[Live Demo] Identify and Respond to Email Threats Faster With PhishER
Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!
With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?
Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!
See how you can best manage your user-reported messages.
Join us, Wednesday, December 18 @ 2:00 pm (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
Date/Time: Wednesday, December 18 @ 2:00 pm (ET)
Save My Spot!
https://event.on24.com/wcc/r/2140417/88BECD9319D002690E39B6770A9364AE?partnerref=CHN1
Your users are likely already reporting potentially dangerous emails in some fashion within your organization. The increase of this email traffic can present a new problem!
With only approximately 1 in 10 user-reported emails being verified as actually malicious, how do you handle the real phishing attacks and email threats —and just as importantly— effectively manage the other 90% of user-reported messages accurately and efficiently?
Now you can with PhishER, a product which allows your Incident Response team to quickly identify and respond to email threats faster. This will save them so much time!
See how you can best manage your user-reported messages.
Join us, Wednesday, December 18 @ 2:00 pm (ET) for a live 30-minute demonstration of the PhishER platform. With PhishER you can:
- Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
- Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
- Augment your analysis and prioritization of user-reported messages with PhishML, PhishER’s new machine-learning module
- See clusters of messages to identify a potential phishing attack against your organization
- Meet critical SLAs within your organization to process and prioritize threats and legitimate emails
- Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!
Date/Time: Wednesday, December 18 @ 2:00 pm (ET)
Save My Spot!
https://event.on24.com/wcc/r/2140417/88BECD9319D002690E39B6770A9364AE?partnerref=CHN1
Distracted in Target. And Clicking...
It was an average Sunday…laundry, errands, football. I was standing in the checkout line at my favorite store, Target, when my son texted to remind me to get the Tostitos Scoop chips he asked for, which I of course forgot, because I was already plotting out the trip to my next stop trying to circumvent the lazy Sunday drivers.
So, out of line and back into the store to find the chips. Along the way, my phone was going off like the winner of a Las Vegas slot machine jackpot. While trying to navigate the aisles and all of the wreckless cart drivers (me included)
I pulled out my phone to start scanning through the barrage of emails. Let’s start there, I am not a good scanner.
It was all pretty harmless…an email from Apple suggesting that someone signed onto my account from an unknown device. Immediately, I felt my body temperature rise to a volcanic level. No doubt one of my boys allowed a friend to sign onto our account, or so I thought. Instead of pausing to check with said boys, I clicked on the potential phishing email.
You know when you are in the process of doing something and you realize you should NOT be doing it a second too late…yep, that was me, in Target. My volcanic state quickly turned to panic: How could this happen? How could I fall for this? Take-backs allowed? Continued at the KnowBe4 blog:
https://blog.knowbe4.com/distracted-in-target
Let's stay safe out there.
It was an average Sunday…laundry, errands, football. I was standing in the checkout line at my favorite store, Target, when my son texted to remind me to get the Tostitos Scoop chips he asked for, which I of course forgot, because I was already plotting out the trip to my next stop trying to circumvent the lazy Sunday drivers.
So, out of line and back into the store to find the chips. Along the way, my phone was going off like the winner of a Las Vegas slot machine jackpot. While trying to navigate the aisles and all of the wreckless cart drivers (me included)
I pulled out my phone to start scanning through the barrage of emails. Let’s start there, I am not a good scanner.
It was all pretty harmless…an email from Apple suggesting that someone signed onto my account from an unknown device. Immediately, I felt my body temperature rise to a volcanic level. No doubt one of my boys allowed a friend to sign onto our account, or so I thought. Instead of pausing to check with said boys, I clicked on the potential phishing email.
You know when you are in the process of doing something and you realize you should NOT be doing it a second too late…yep, that was me, in Target. My volcanic state quickly turned to panic: How could this happen? How could I fall for this? Take-backs allowed? Continued at the KnowBe4 blog:
https://blog.knowbe4.com/distracted-in-target
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc
Quotes of the Week
"Whatever the cost of our libraries, the price is cheap compared to that of an ignorant nation."
- Walter Cronkite
"Per aspera ad astra" is a popular Latin phrase meaning "through hardships to the stars"
Thanks for reading CyberheistNews
- Walter Cronkite
"Per aspera ad astra" is a popular Latin phrase meaning "through hardships to the stars"
Thanks for reading CyberheistNews
Security News
Phishing for Selfies
Researchers at Kaspersky Lab have observed a spike in fraud surrounding the use of selfies to gain access to sensitive data, Planet Biometrics reports. Some legitimate online services ask users to upload a photo of themselves holding their ID in order to verify their identity.
If a scammer gets their hands on one of these photos, they can impersonate you online. These photos are valuable on the black market for this reason.
Scammers are collecting these types of selfies via phishing emails that purport to come from payment services and banks. The emails try to convince recipients to go to legitimate-looking phishing sites and upload a selfie with their ID visible.
Tatyana Sidorina from Kaspersky said the level of phishing in Q3 2019 remained steady, but scammers continued to shift tactics.
“While the overall volume of spam and phishing is on a steady level, we can see the scammers are increasingly exploiting new pretexts and ways to compromise victims,” Sidorina said. “Make sure you stay secure in the pre-holiday season when vigilance tends to fall.”
It’s best to avoid uploading selfies with your ID at all, if possible, because anything you upload to the internet can potentially be stolen at some point. If you do need to do so, make absolutely certain you’re on the correct site and verify that the service is legitimate.
New-school security awareness training can enable your employees to keep their information safe by teaching them security best practices. Planet Biometrics has the story:
https://www.planetbiometrics.com/article-details/i/10660/desc/cyber-fraudsters-increasingly-collecting-users-selfies-and-ids/
Researchers at Kaspersky Lab have observed a spike in fraud surrounding the use of selfies to gain access to sensitive data, Planet Biometrics reports. Some legitimate online services ask users to upload a photo of themselves holding their ID in order to verify their identity.
If a scammer gets their hands on one of these photos, they can impersonate you online. These photos are valuable on the black market for this reason.
Scammers are collecting these types of selfies via phishing emails that purport to come from payment services and banks. The emails try to convince recipients to go to legitimate-looking phishing sites and upload a selfie with their ID visible.
Tatyana Sidorina from Kaspersky said the level of phishing in Q3 2019 remained steady, but scammers continued to shift tactics.
“While the overall volume of spam and phishing is on a steady level, we can see the scammers are increasingly exploiting new pretexts and ways to compromise victims,” Sidorina said. “Make sure you stay secure in the pre-holiday season when vigilance tends to fall.”
It’s best to avoid uploading selfies with your ID at all, if possible, because anything you upload to the internet can potentially be stolen at some point. If you do need to do so, make absolutely certain you’re on the correct site and verify that the service is legitimate.
New-school security awareness training can enable your employees to keep their information safe by teaching them security best practices. Planet Biometrics has the story:
https://www.planetbiometrics.com/article-details/i/10660/desc/cyber-fraudsters-increasingly-collecting-users-selfies-and-ids/
Spoofing the RCMP
A Canadian woman, Julia-Shea Baker, lost her life savings to a scammer posing as an investigator from the Royal Canadian Mounted Police, the CBC reports. The scammer called Baker and told her the police had found an abandoned car rented in her name. Inside the car, he said, was ten kilograms of cocaine and blood residue on the seats.
The caller informed Baker that her Social Insurance Number (SIN) had been compromised and she would have to get a new one.
Baker had heard of this type of scam before, but she became convinced after the caller hung up and called her back with the RCMP’s caller ID. The scammer told Baker to transfer all her savings to gift cards in order to keep her money safe throughout the process. He kept her on the line for four and a half hours while she spent $4,000 on gift cards.
During this time, the caller repeatedly told Baker not to tell anyone else or she could be implicated in the investigation. Baker didn’t realize she had been scammed until the next day, when the man failed to call her back.
Jeff Thomson, a senior RCMP intelligence analyst with the Canadian Anti-Fraud Centre, told the CBC that caller ID shouldn’t be trusted since it can easily be spoofed. He added that people should pay attention to how the caller acts and what they ask for in order to identify a scam.
“The government's never going to call you and threaten you into sending money, they're not going to ask for your personal information over the phone in an unsolicited fashion, in an alarming, scary fashion,” Thomson said.
Knowing how to identify the fundamentals of social engineering can protect you against scams. If someone acts threatening, tells you not to tell anyone what’s going on, or asks you to do anything involving gift cards, you should hang up the phone. The CBC has the story:
https://www.cbc.ca/news/canada/ottawa/sin-scam-fraud-1.5378917
A Canadian woman, Julia-Shea Baker, lost her life savings to a scammer posing as an investigator from the Royal Canadian Mounted Police, the CBC reports. The scammer called Baker and told her the police had found an abandoned car rented in her name. Inside the car, he said, was ten kilograms of cocaine and blood residue on the seats.
The caller informed Baker that her Social Insurance Number (SIN) had been compromised and she would have to get a new one.
Baker had heard of this type of scam before, but she became convinced after the caller hung up and called her back with the RCMP’s caller ID. The scammer told Baker to transfer all her savings to gift cards in order to keep her money safe throughout the process. He kept her on the line for four and a half hours while she spent $4,000 on gift cards.
During this time, the caller repeatedly told Baker not to tell anyone else or she could be implicated in the investigation. Baker didn’t realize she had been scammed until the next day, when the man failed to call her back.
Jeff Thomson, a senior RCMP intelligence analyst with the Canadian Anti-Fraud Centre, told the CBC that caller ID shouldn’t be trusted since it can easily be spoofed. He added that people should pay attention to how the caller acts and what they ask for in order to identify a scam.
“The government's never going to call you and threaten you into sending money, they're not going to ask for your personal information over the phone in an unsolicited fashion, in an alarming, scary fashion,” Thomson said.
Knowing how to identify the fundamentals of social engineering can protect you against scams. If someone acts threatening, tells you not to tell anyone what’s going on, or asks you to do anything involving gift cards, you should hang up the phone. The CBC has the story:
https://www.cbc.ca/news/canada/ottawa/sin-scam-fraud-1.5378917
Get Your Hands on KnowBe4's Important 2020 Security Threats and Trends Survey Results *First*
Once a year, KnowBe4 runs its Security Threats and Trends Survey. We’re polling IT and Security executives, administrators and professionals like yourself on what technology and business issues you consider your organization's biggest security threats and challenges over the next 12 months. These include phishing scams, CEO fraud, ransomware, malware and targeted hacks.
It will take you 5 minutes tops. As a reward, you get the results first, and will allow you to compare yourself with your peers. It's multiple choice with one essay question. ALL responses are confidential.
Anyone who completes the survey and includes their Email address in the essay question along with a comment gets a complimentary copy of the Executive Summary and the accompanying PowerPoint presentation of the survey results. The person who provides us with the best essay comment will win a USD 100 Amazon gift card.
Here's the link to the new 2020 survey. Thanks in advance for participating!
https://www.surveymonkey.com/r/SY9BDLQ
Once a year, KnowBe4 runs its Security Threats and Trends Survey. We’re polling IT and Security executives, administrators and professionals like yourself on what technology and business issues you consider your organization's biggest security threats and challenges over the next 12 months. These include phishing scams, CEO fraud, ransomware, malware and targeted hacks.
It will take you 5 minutes tops. As a reward, you get the results first, and will allow you to compare yourself with your peers. It's multiple choice with one essay question. ALL responses are confidential.
Anyone who completes the survey and includes their Email address in the essay question along with a comment gets a complimentary copy of the Executive Summary and the accompanying PowerPoint presentation of the survey results. The person who provides us with the best essay comment will win a USD 100 Amazon gift card.
Here's the link to the new 2020 survey. Thanks in advance for participating!
https://www.surveymonkey.com/r/SY9BDLQ
What KnowBe4 Customers Say
"Thank you so much for getting that to me so quickly! WE ❤ your product! I was telling Stu before I left that we have gone from 29% to 1.4% PhishProne in a year! People are paying attention and learning from the every-other-month training campaigns and the monthly exercises!"
- B.T., Technology Services Manager
"Thank you so much for getting that to me so quickly! WE ❤ your product! I was telling Stu before I left that we have gone from 29% to 1.4% PhishProne in a year! People are paying attention and learning from the every-other-month training campaigns and the monthly exercises!"
- B.T., Technology Services Manager
The 10 Interesting News Items This Week
- Exploited Android flaw 'StrandHogg' allows phishing, malicious permissions:
https://www.scmagazine.com/home/security-news/vulnerabilities/exploited-android-flaw-strandhogg-enables-phishing-overlays-malicious-permissions/ - CISA Pushing U.S. Agencies to Adopt Vulnerability Disclosure Policies:
https://threatpost.com/cisa-us-agencies-vulnerability-disclosure-policies/150718/ - Merck cyberattack’s $1.3 billion question: Was it an act of war?:
https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war - A Decade of Hacking. Enlightening and useful. Review of the most important and noteworthy security debacles:
https://www.zdnet.com/article/a-decade-of-hacking-the-most-notable-cyber-security-events-of-the-2010s/ - DHS official briefs senators on state ransomware threats in classified meeting:
https://www.cyberscoop.com/dhs-senators-classified-ransomware-briefing/ - 44 million Microsoft users reused passwords in the first three months of 2019:
https://www.zdnet.com/article/44-million-microsoft-users-reused-passwords-in-the-first-three-months-of-2019/ - ESG Data Discussed: 63% of workers report using the same password for multiple work devices and/or applications:
https://www.esg-global.com/data-point-of-the-week-12-02-19? - CNBC Interview: Who's Tracking You Online. Featuring Kevin Mitnick:
https://www.cnbc.com/video/2019/12/05/whos-tracking-you-online.html?&qsearchterm=kevin%20mitnick - Meet PyXie: A Nefarious New Python RAT:
https://threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html - Smith & Wesson Web Site Hacked to Steal Customer Payment Info:
https://www.bleepingcomputer.com/news/security/smith-and-wesson-web-site-hacked-to-steal-customer-payment-info/
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
- Awesome people performing amazing and extraordinary feats Best Of Year 2019:
https://www.flixxy.com/people-are-awesome-best-of-the-year-2019.htm?utm_source=4
- The Amazing Night Sky at The Atacama Desert in Chile. Simply amazing uncountable numbers of stars and fantastic nebulas:
https://www.flixxy.com/the-night-sky-from-the-atacama-desert-in-chile.htm
- What warp speed must look like. Stunning New Universe Fly-Through Really Puts Things Into Perspective:
https://youtu.be/nGnX6GkrOgk
- And here is your new 4K Virtual Vacation: See Venice before it's totally under water; Time lapse and high speed trip:
https://youtu.be/1_5n1EfcWyM
- Awesome people performing amazing and extraordinary feats in this week's compilation of 'People Are Awesome.':
https://www.flixxy.com/people-are-awesome-best-of-the-week-71.htm?utm_source=4
- Harry Potter’s ‘invisibility cloak’ may be a step closer to becoming reality:
https://www.flixxy.com/invisibility-is-now-real.htm?utm_source=4
- A remote surveillance tool and toy for cats. Watch out for CITM (cat in the middle attacks) LOL:
https://www.youtube.com/watch?v=CdvhHkgbrzE
- International Trailer for the new BOND Movie: No Time To Die:
https://www.youtube.com/watch?v=c3n9KRSmNSA&feature=youtu.be
- And while we are looking at trailers. Marvel Studios' Black Widow - Official Teaser Trailer:
https://youtu.be/RxAtuMu_ph4
- In Photos: Look Inside Porsche's New Taycan Factory:
https://www.bloomberg.com/news/photo-essays/2019-11-27/in-photos-look-inside-porsche-s-new-taycan-factory
- How Noise-Canceling Headphones Really Work. Interesting:
https://youtu.be/zj33WAODsJg
- Penn RAGES When Getting FOOLED By Another Cookie Magic Trick on Fool Us:
https://youtu.be/kE_G_z6nxnI - For The Kids:Big Bird takes Vanity Fair's famous lie detector test. Which Bird is better at basketball?
https://www.youtube.com/watch?v=KXsRrXvqRro&feature=youtu.be
