Security Awareness Training Blog

Keeping You Informed. Keeping You Aware.

Bad News: Your Antivirus Detection Rates Have Dramatically Declined In 12 Months

We all had the nagging suspicion that antivirus is not cutting it anymore, but the following numbers confirm your intuition. I have not seen more powerful ammo for IT security budget to transform your employees into an effective "last line of defense": a human firewall.

Russian Breach US Grid? Nah, Someone Fell For Social Engineering And Enabled Macros

Breathlessly, the Washington Post reports that the Russian Grizzly Steppe malware was found within the system of a Vermont power utility. 

Nah, they just dodged a bullet. This time someone fell for a social engineering ruse, opened an email, next opened the attachment and then enabled macros on a laptop that was not connected to the grid. It's a bad security awareness fail, but no real damage done. Yet. Because that's similar to how Natanz was penetrated by Stuxnet.

AI-powered ransomware is coming, and it's going to be terrifying

Business Insider started an article with the following: "Imagine you've got a meeting with a client, and shortly before you leave, they send you over a confirmation and a map with directions to where you're planning to meet. It all looks normal — but the entire message was actually written by a piece of smart malware mimicking the client's email mannerisms, with a virus attached to the map.

Scam Of The Week: Illegal Game of Thrones Download

Illegally downloading television shows and movies from a variety of torrent websites is done all the time. The HBO series, "Game of Thrones" is the #1 downloaded, not surprisingly.

This Scam Of The Week warns against phishing emails that look like a notice from IP-Echelon, which is the company that enforces copyright claims to ISPs for companies such as HBO.

The twist in this case is that the attack is forwarded to them directly from their own current Internet Service Provider.

Wow, the bad guys are moving fast with CEO Fraud!

KnowBe4 is expanding fast, we now have 120 employees and we just hired a new controller late May to help out our very busy CFO. Part of the KnowBe4 onboarding is getting through our internal training line-up and then updating your LinkedIn profile, so that happened in the last few weeks.

So guess what, Camille walks up to me and asks: "Did you need me for anything? Did you send me an email?" I'm looking at her somewhat puzzled and say: "No?" She answers: "In that case I just got spoofed".

[INFOGRAPHIC] Don't Be The Victim Of A Cyberheist

We have created a new infographic for your users, as part of your ongoing security awareness program. It's a few good reminders how to stay safe online, and to keep their awareness levels at the appropriate level... HIGH! 

American Chamber Of Commerce Scam Is Spear-phishing Prep

You may be aware of Steven Weisman, Esq. He writes a great daily blog called Scamicide, and is a is a nationally recognized identity theft expert, experienced university lecturer, proven lawyer specializing in elder law, and a seasoned author of nine books pertaining to identity theft, scams and financial planning.  

Half Of Your Users Are Now Spear Phishing Targets

In a presentation at the Intelligence & National Security Summit, Bill Evanina, Director of the National Counterintelligence and Security Center (NCSC) announced "There have been just over 500 breaches so far this year, some of which made the news, and 47 percent of adult Americans have been the victim of a breach in the last three years."

US Counter-Intel Czar Warns Hack Victims Against Spear Phishing

WASHINGTON–In a presentation at the Intelligence & National Security Summit, the director of the National Counterintelligence and Security Center (NCSC) announced a "new counterintelligence campaign" focused on reducing the potential security damage done by the Office of Personnel Management data breaches.

Called Know the Risk, Raise Your Shield, the campaign's opening salvo is a pair of spear-phishing awareness videos, urging people not to click on those links.

"There have been just over 500 breaches so far this year, some of which made the news," said NCSC Director Bill Evanina. "And 47 percent of adult Americans have been the victim of a breach in the last three years. That data is an opportunity for criminals, but it's also allowed foreign intelligence to collect information about government employees, contractors, and their families."

The Office of Personnel Management breach alone, he said, had exposed at last measure the data of over 22 million people, including some who had merely applied for government employment or contract work in the last 10 years. "That puts them in a vulnerability bracket they've never been in before," Evanina said.

As part of a response to the breach, in addition to the credit protection and other measures being offered to victims by the OPM, the NCSC is trying to prevent even further breaches that use information gleaned from OPM background investigation records and other data.

Pentagon Top Brass Spear-phished

The Pentagon divulged that its computer networks were penetrated by suspected Russian hackers using spear-phishing.

The hackers got into their unclassified email network used by the Joint Chiefs of Staff office with around 4,000 military and civilian employees. The Pentagon shut down the computer network once the attack was detected to stop additional data leaking out.

The Incident Response team suggested a state-sponsored hacking group, likely Russian, is responsible for the attack because of the level of sophistication. This recent email hack is very similar to the successful hack of the unclassified email system at the White House and State Department last year.

The attack against the network began around July 25 against the Joint Staff, which includes the chairman of the Joint Chiefs of Staff, Gen. Martin Dempsey, and other senior officers. It prompted the Pentagon to shut down the server for the Joint Staff’s roughly 4,200 unclassified email accounts.

The hackers came in through a spear-phishing attack, in which the attacker crafts an email designed to trick the receiver to open an attachment with a malware payload. Even if it is an unclassified network, especially at the most senior levels of the Pentagon, emails can be extremely sensitive and offer details into planning, schedules or personnel.

"If you are able to get all that information from three or four individuals’ emails or communication, you have an entire picture of what’s been worked on the classified side,” said Andre McGregor, a former cyber special agent at the Federal Bureau of Investigation who is now director of security at Tanium, a cybersecurity firm.

Subscribe To Our Blog

Phish Your Users

Get the latest about social engineering

Subscribe to CyberheistNews