Thinking Skeptically About Smishing

Organizations need to train their employees to be on the lookout for SMS phishing (smishing), according to Jennifer Bosavage at Dark Reading. Bosavage explains that attackers exploit normal human behavior to gain access or information from employees.

“Cyberattackers leverage the way people typically respond to certain social situations to trick them into disclosing sensitive information about themselves, their businesses, or their computer systems,” Bosavage writes. “Even the smallest amount of data can be useful to hackers who are trying to complete a profile that will enable them to get access to credit, banking, and other sensitive information. So the first line of defense is to train employees to recognize their telltale but often subtle signs, as well as how their information can be used in a social engineering attack.”

Bosavage quotes April Wright, a security consultant at, as saying that attackers can easily obtain open-source information to make their phishing messages appear legitimate.

“With both smishing and vishing, the source may have some information that makes them seem credible – names of co-workers, a boss’ name, phone numbers, department names, etc.,” Wright said. “These are the seemingly trivial information they have gained via intelligence gathering, [smishing], phishing, or vishing. The most important thing we can do is verify.”

Wright added that employees need to have a healthy sense of suspicion in order to recognize these scams.

“We need to realize that not everyone is good and be on the lookout for questions people don’t normally ask, for that feeling when ‘something isn’t right,’” Wright said. “That feeling has kept humans alive and safe for hundreds of thousands of years, and we should listen to it. It’s there to alert us to danger.”

New-school security awareness training can provide your organization with an essential layer of defense by teaching your employees how to avoid falling for these attacks.


Phishing Links Sent Via Legitimate Google Drive Notifications

Scammers are abusing a Google Drive feature to send phishing links in automated email notifications from Google, WIRED reports. By mentioning a Google user in a Drive document, the scammers can cause Google to generate a notification that will be sent straight to the user’s inbox, bypassing spam filters.

“The smartest part of the scam is that the emails and notifications it generates come directly from Google,” WIRED explains. “On mobile, the scam uses the collaboration feature in Google Drive to generate a push notification inviting people to collaborate on a document. If tapped, the notification takes you directly to a document that contains a very large, tempting link. An email notification created by the scam, which also comes from Google, also contains a potentially malicious link. Unlike regular spam, which Gmail does a pretty good job of filtering out, this message not only makes it into your inbox, it gets an added layer of legitimacy by coming from Google itself.”

WIRED says this technique has been observed frequently over the past few weeks, so users should be on the lookout.

“The scammers are working their way through a huge list of Gmail accounts, with scores of people reporting similar versions of the attack in recent weeks,” WIRED says.

Google said it’s working on new ways to detect malicious activity, but David Emm, a principal security researcher Kaspersky, told WIRED that this could be a challenge.

“It’s difficult for Google to do anything if the notification is coming from a legitimate account, which is, of course, easy to create,” Emm said. “Avoid clicking on unsolicited links of any kind when sent from unknown sources. If you weren’t expecting to receive it and don’t know the sender, don’t respond.”

In this case, the messages are clumsily written and would make many users suspicious. However, a more talented attacker could easily craft a much more convincing scam using this method. This attack is particularly insidious in the organizational context, where co-workers commonly share their work product using Google Docs. New-school security awareness training can help your employees avoid falling for new and unexpected phishing techniques.


6 Lessons I Learned from Hacking 130 MFA Solutions

I was fortunate enough to write Wiley’s Hacking Multifactor Authentication. It’s nearly 600-pages dedicated to showing attacks against various multi-factor authentication (MFA) solutions and how to prevent them. It picks MFA winners and losers and contains a framework and checklist to help anyone pick the right MFA solution for themselves and their organization.

I’ve been lucky enough to be hired to hack many different MFA solutions over my over 30-year computer security career. I’ve created fake fingerprints, taken pictures of irises, and hacked a ton of physical MFA devices. I once hacked over 20 different fingerprint readers as part of one project alone. As part of the book, I reviewed dozens of different MFA solutions and looked at over 130 products (they are listed in the Appendix). To be clear, I didn’t physically hack 130 different MFA solutions, but I did review what they did, how they worked, and was able to rely on my 30 years of experience in determining whether I could likely hack them or not. Along the way, I’ve learned a few key lessons, including:

You Can’t Use MFA in Most Places

Whenever I read that passwords are going away and will soon to be replaced by something else, usually MFA, I want to laugh. In what world? Passwords work with likely 99% of most authentication-protected websites. I’m not sure what percentage really. I’m just making up the 99% figure. But passwords have been around with us and used with different websites, services, and applications for decades. Passwords are easily the most commonly accepted form of authentication. Kids as young as two have no problem using a login name and password. Even most websites and services that accept MFA still also accept passwords, used by themselves, as valid authentication.

The converse is not true. In comparison, MFA is hardly accepted anywhere. Again, I don’t know the real percentages, but MFA likely doesn’t work on 1% of the world’s websites, services, and applications. The average person has over 170 websites/services they login to, plus many more applications. Most of those don’t accept MFA. Some do. Most don’t.

What I’ve learned is that when you go to pick an MFA solution that’s right for you or your organization, step one is to figure out what websites/services and applications you want to protect by MFA, and then figure out which MFA solutions can actually protect those sites and applications. Unless you are unusually homogenous for an organization (say for example, run nothing but Google applications), you’ll have a hard time finding a single MFA solution that protects everything you want protected. Usually, you’ll end up with one of three answers to solve the misalignment:

  • Select a smaller set of things you want to protect with a single MFA solution
  • Select multiple MFA solutions, each protecting a subset of what you want to protect
  • Select a single-sign-on (SSO) solution that can protect everything you want to protect, which puts an MFA login shell around them

In most cases, you’ll end up selecting two or more of these answers. There just isn’t a single MFA solution that covers even a moderate percentage of the world. Pick the most popular solutions (e.g., Google Authenticator, FIDO, RSASecurID, Yubico, Microsoft Authenticator, Okta, Duo, WatchGuard, etc., and you’ll not find any of them that work with much of the Internet.

They may they cover thousands or even hundreds of thousands of websites and services, but the Internet is a very big place with hundreds of millions of web sites and there are hundreds of millions of applications. Unless you code every application and site yourself or buy them from one vendor, you’re going to be making trade-offs.

The reality today is that most of us are ending up with one or more MFA solutions plus a bunch of passwords. Most of us have one MFA solution that works with some of the stuff we have at work, others that work with our personal sites and services (e.g. social media, banking, stock accounts, etc.). And many dozens of passwords. Welcome to the real world! Every time I hear someone say that passwords are going away, I want to buy stock in a password manager vendor.

All Can Be Hacked

A lot of attendees to my 12 Ways to Hack MFA webinars are shocked when I say all MFA solutions, even the ones they love the best, can be hacked! I’m surprised at their surprise reactions. Nothing is unhackable. Nothing. And that includes any MFA solution.

There are certainly some solutions which are less hackable than others, but I can hack any MFA solution at least a handful of different ways, many of which have nothing to do with the vendor or their implementation. I can attack things, like DNS, or use an electron microscope to find secret encryption keys stored on memory chips, that the vendor has no control over. I can hack most MFA solutions over five ways and hack many of them over a dozen ways. If you want the specifics, read my book.

With that said, I did write an earlier, free 41-page ebook. I think it only has 18 ways I can hack MFA (my book has over 50), but they are most of the major ways. We also made a cool, free Multifactor Authentication Security Assessment tool. It asks you a dozen or so questions to determine how your MFA solution works and then it spits out a big report that explains all the ways my brain could hack your submitted MFA solution. This tool was written when I only knew a few dozen ways (and not over 50 like I know today), but it will give you a very good sense of what is possible, hacking-wise, against your submitted MFA solution. But to be clear, every MFA solution can be hacked, and that is to be expected.

KnowBe4 has plenty of other related free content and resources, including KnowBe4’s Multifactor Authentication web portal at:

Some MFA Solutions Are Less Hackable Than Others

With that said, some MFA solutions are less hackable than others. Most of your very popular solutions, some of which I mentioned above, are well-designed and constructed. The vendor’s attention to detail and focus make their solutions better than some solution you’ve never heard of. They have the money to hire the best people and teams to design good solutions.

Unfortunately, the vast majority of MFA offerings are fly-by-night offerings, created by one to a few people, with almost no financial support. Most solutions are looking for their first major customer. Many of these smaller offerings are created by very smart people with the best of intentions, but without deep pockets that a steady, incoming, revenue stream provides, it can be hard for them to provide a great all-around solution. With little money, usually one or more things has to suffer.

But more than popularity and size determines the robustness of security. Most of the time, the overall design, dependences, and framework determines what can and can’t be done against a particular solution. After reviewing over 130 solutions, here are the types of solutions and features that I thought provided adequate to above average security protection:

  • FIDO2-compliant MFA devices
  • Push-based phone applications
  • Open Authentication (OATH) solutions
  • Solutions using Dynamic Symmetric Key Provisioning Protocol (DSKPP), aka RFC 6063 (

And solutions and features I did not like so much:

  • Any SMS-based solution
  • Biometrics, especially single-factor biometrics
  • Single-factor authentication tokens
  • Solutions with unknown or proprietary cryptography
  • Solutions with personal knowledge-based questions for recovery
  • Connect-the-dot type solutions
  • Solutions coded by developers without security design lifecycle (SDL) concepts

I’m sure I’ve offended half the vendors reading this article. This is just my opinion from 33 years of looking at and hacking MFA solutions. Your mileage will vary. And most of the time, even a “weaker” MFA solution can provide benefits over simple login name/password solutions. But not even all the time in those instances. There are solutions that I think are worse than just login name/password solutions, and that includes 1FA (single factor) devices that you simply plug into your computer (lose it and the finder essentially gets your identity). I’m especially not a big fan of biometrics used in remote office scenarios. That’s just asking for trouble.

Over-Engineered Solutions

There are also plenty of MFA solutions which, in an attempt to be very secure, go overboard. There is this false impression that many MFA developers have that the world doesn’t have secure-enough MFA solutions, and that is just what the world needs and wants – a four- to 10-factor MFA solution. I have reviewed many MFA solutions that have four or more factors and require people to do manual code lookups or even solve a math problem to login. I’ve got news for those developers – the world will not be beating a path to your door. MFA users want the least amount of “user friction” to be secure and do their job, and a four- or more factor solution is just overkill. Users don’t want a four-factor solution to login to work, much less go on Amazon.

Education is Crucial

Every MFA solution can be hacked, some by a regular-looking phishing email. But most administrators and users don’t understand that fact. Many believe that using MFA makes them far less likely to be successfully hacked. And that is true for many hacking scenarios. For example, if a hacker sends you a phishing email asking for your password and you’re using MFA and don’t have a password, well obviously, that scam isn’t going to work.

But MFA only prevents certain types of authentication hacking scenarios and not even all authentication hacking. It certainly doesn’t stop the vast majority of hacking attacks. More specifically, if an attacker learns that you are using MFA, he/she can construct or use attacks that are likely to be successful against them if the user isn’t aware of the risks.

That’s why it is crucial that all involved (e.g., management, admin, users, help desk, etc.) be educated about the types of attacks and what could be successful against their particular MFA solution. An informed user is a safer user. Users who are unaware of the risks are more likely to fall for those types of scams and hacks. We let end users know about the risks of and types of attacks against their password. We just have to do the same thing, even if they are using MFA. MFA doesn’t change the need for users to be aware of the threats and risks they face, no matter how they authenticate.


Unfortunate Learning Lessons from Clicking on a Suspicious Phishing Email

Israeli news source YNet released a story about a woman who clicked on a suspicious phishing link, was fired from her job, and was accused of fraud with a criminal indictment.

Below is the example of the email the woman received:

Screen Shot 2020-11-05 at 10.31.54 AM

From the email address to the body text, the email was already looking suspicious. While anyone could fall for a malicious attack, this woman made the unfortunate mistake of clicking on the link. She was then fired from her company right after the incident and was arrested by The Israel Police and the State Attorney’s Office. Fortunately, thanks to a judge the outcome would not be negative, but the situation itself could have easily been avoided.

When asked how often is it that an employee who clicked on a phishing link was fired and charged, Ido Naor, a cyber expert and CEO of Security Joes, explains: “Very rare. I was very surprised by the arrogance of the company, to blame an employee for a cyber operation. The responsibility falls on the company and the computer people in the company. If they had run two-stage authentication it would not have happened. And the activity of the burglars. ”

With that said, it’s important to have the following takeaways when you receive a suspicious email:

  • Double Check the Sender: It’s important to make sure any email you receive is from a reliable source or a someone that you know.
  • Don’t Click on any Unknown Attachments: Be mindful of any attachments that are sent to you, especially if the attachment is from someone you do not know.
  • Utilize Multi-Factor Authentication (MFA): It’s not the only measure you should take and you could still potentially get hacked with MFA. However, implementing MFA and a password management system can make it more difficult for the bad guys to infiltrate your network.

Frequent phishing security tests could have this situation from occurring. That’s why new-school security awareness training can ensure your users are always prepared with the tools needed to report any suspicious activity to your security team.


Cannabis Company GrowDiaries Suffers Data Breach of 3.4 Million Users

A recent report from SiliconANGLE released information that cannabis company GrowDiaries suffered a data breach with details of 3.4 million users being exposed online.

The data breach incident was first discovered by security researcher Bob Diachenko on LinkedIn but was indexed by search engine BinaryEdge on September 22nd. The database was not taken down until almost a month later. The data exposure was on an unsecured database that had no passwords. This data includes email addresses, IP addresses, usernames, MD5-hashed passwords, and image URL’s.

GrowDiaries confirmed the database exposure but has not disclosed whether user details have been made available from unwanted third parties.

“This breach is yet another example of a company leaving a server and critical information unsecured without any password protection, an unfortunate trend that has been the cause of many recent leaks,” Dr. Vinay Sridhara, chief technology officer of security posture firm Balbix Inc., told SiliconANGLE.

This data breach was a major learning lesson to make sure that all of your organizational databases secure. This breach could also potentially be a potential gold mine for the bad guys to use this information for future planned social engineering attacks if this information is available on the dark web.


Learn to Combat These Three Cybersecurity Monsters This Halloween and Beyond

It’s that time of year again. The air feels a bit crisper; the days are a bit shorter; and children around the world prepare to go trick or treating. Even as an adult, Halloween is probably my favorite holiday. I love seeing and thinking about monsters and things that lurk in the shadows… maybe – just maybe – that’s what drew me to a career in cybersecurity.

As we ponder the horrors of the night, I can’t help but draw a few comparisons between current cyber threats and the monsters we all know and love. Here are three critical cybersecurity monsters to be on the hunt for this Halloween and beyond.


Our first category of monster is the vampire—the cybersecurity bloodsucker. No, not the vendor community. I’m referring to cybercriminals who launch phishing and social engineering attacks.

Phishing and social engineering attacks peel back the thin veneer of control we like to believe we have over our actions. Like a vampire wielding hypnotic control over a soon-to-be victim, social engineers know just how to exploit our very human nature against us. And – before we know it – we’ve fallen victim to that dark power. We’ve clicked a malicious link, entered our login credentials into a fake website, downloaded a malicious attachment, or handed over information that should have been protected. Vampires are masters at stripping away a victim’s self-control so they can sink their teeth into an organization’s lifeblood – it’s data.

Defenders tip: Vampires hate the light, are driven back by symbols of protection, and can be killed by a stake to the heart. Protect your employees and organization by shining a light on social engineering schemes. Talk about current scams and train your employees to battle vampires. Teach them to fight off vampiric attacks by sending them frequent simulated phishing tests. This gives your employees a chance to learn how to slay the vampires by reporting suspected phishing emails… a stake to the heart!

Give users an easy way to report: Get Your Free Phish Alert Button >>


The next category of monster in our cybersecurity horror safari is the werewolf. Cybersecurity werewolves are negligent or malicious employees.

This is the classic “insider threat;” employees who blend in with all their coworkers most of the time, but can transform into serious threats under the right conditions. These employees may have been bitten by dark outside forces ; they transform into threats when the moon calls. These vicious werewolves savage organizational data, ransack systems, and leave destruction in their wake.

More frequently, however, cybersecurity werewolves are truly mild-mannered employees who haven’t been overtly tainted by dark forces. But their transformation happens when they are under extreme stress, in a hurry, or are clowning around. Even though negligent werewolves may have somewhat innocent motives, it’s important to realize that their effects are still devastating. And one scratch from even these mild-mannered werewolves can infect your employee population.

Defenders tip: Werewolves can be hard to spot since they are usually only in their human form. However, you may be able to detect potential werewolves through blood tests; well… not really. In this case, you conduct “blood testing” through frequent background checks for employees in key areas. Also consider investing in and deploying employee monitoring software to the extent permitted by local regulations. And what about the more innocent, negligent werewolves? Train them constantly so that they are more likely to reflect the behaviors you want and are more likely to stay loyal.

Browse the world’s largest library of security awareness training content: Start Your Preview Now >>


And what survey of monster madness would be complete without a horde of zombies? Zombies are fascinating because they are lifeless and yet slog along. They represent damage, decay, corruption, and a festering of what was once pure. They rampage, kill, and feast on… brains.

Yep – you guessed it – the cybersecurity equivalent of a zombie infestation is today’s plague of disinformation, misinformation, and fake news. Disinformation is the intentional injection of corruption (falsehoods) into the world. Mad scientist disinformation agents want to infect the general population with a scourge of corruption. And they want their initial zombie population to scratch, bite, and otherwise ravage others; allowing the corruption to spread in the form of misinformation (the unknowing/unintentional spread of disinformation). Zombie plagues tend to quickly spread well beyond the confounds of any border or boundary. And, before you know it, there is a vast army of zombies as far as the eye can see; moving slowly and somehow shockingly fast at the same time—like a horde of sickening stop-motion marionettes. They want our brains.

Defenders tip: It’s important to remember that zombies are victims. They may be snarling at us, wanting to infect us, and eat our brains. But that’s only because they were infected by others spreading the disinformation/misinformation virus. The best thing you can do is to remain uninfected and fight for a vaccine. We combat falsehoods with truth. And we bring empathy and compassion to this very human problem. When’s the last time you had a real conversation with a zombie?

Stay informed: Watch the Global Disinformation webinar series >>


Let’s face it. The world is a scary place. The monsters are out there. But that’s why we’re here. We all became cybersecurity professionals to fight for a better world; to protect our organizations, our families, and our future. Now let’s get out there and fight.


Phishing Attacks Can Come from an Unlimited Number of Trusted Phishing Sites Thanks to Google App Engine

Scammers are taking advantage of Google’s Trust Service Verification and the way their App Engine creates unique URLs to host trusted landing pages used in phishing scams.

Ever phishing scammer that needs a website to take their victim to complete the scam or to host a command-and-control server to complete at attack needs that site to be one that security solutions will allow.

It’s one of the reasons some cybercriminals choose to compromise and infect websites owned by legitimate companies, while others choose to create malicious apps hosted with cloud providers like Azure and Google.

Traditionally, once a domain or subdomain has been identified as being malicious by a security solution, it’s game over for the bad guy. The challenge with blocking URLs built using Google’s App Engine is how Google App Engine (hosted on creates the URL names.

Today, the URLs use the following subdomain nomenclature:

Note how values such as version and project ID could vary over time or simply be purposely updated to generate hundreds or even thousands of identical malicious webpages, as was the case when security engineer Yusuke Osumi found over 2000 URLs that all pointed to the same fake Office 365 logon page.

Keep in mind, again, because these are running on Google’s own, which is a Google Trusted domain, the pages created under this domain are trusted by everyone and every solution.

That’s bad.

This checked the “it’s ok” box for just about every security solution, so it’s up to your users to act as a line of defense, scrutinizing URLs when being sent to what should be a known website. Users that enroll in Security Awareness Training are taught to always be skeptical of web links, requests for credentials, and other common tricks used as part of a phishing scam. Since Google App Engine isn’t doing you any favors, it’s time to do one for yourself with Security Awareness Training.


Don’t Neglect the Threat of Vishing

People need to help raise awareness about voice phishing scams, or vishing, according to Paul Ducklin at Naked Security. While phone scams have been around for years, they remain effective and people continue to fall for them. Someone who would be suspicious of an unexpected email might be more trusting when there’s a human voice at the other end of the line.

“Never let yourself get suckered, surprised, or seduced into taking any direct action on the basis of a phone call you weren’t expecting from a person whose voice you don’t recognise with certainty,” Ducklin writes. “It doesn’t matter where the call claims to originate. Anyone can say they are from your bank, a hospital, the tax agency, a coronavirus track-and-trace service, the local police station, or the lottery company. Whether the caller is giving you bad news or good, you have no way of verifying anything that’s said to you from information offered up in the call itself.”

Ducklin adds that when you receive an unsolicited phone call from someone asking for information or trying to get you to do something, you should hang up and call the organization that the caller claimed to work for.

“Whether you are worried about a fraudulent transaction, scared about a tax problem, or excited about what could be a lottery win, here’s what to do: find a number to call back by yourself, using contact information you already have on record,” Ducklin says. “Your last tax return should have a tax office contact number on it; your credit card should have a fraud reporting number on the back; most hospitals have a central contact number that can be double-checked online; and so on. Never rely on information read out to you in a call, or sent in an email, or delivered via SMS, as a way of deciding whether to believe the message or the call.”

New-school security awareness training can teach your employees about social engineering techniques so they can avoid falling for these tricks.


Couple Avoids Becoming a Victim to Publishers Clearing House Scam

An elderly couple in Tennessee avoided falling victim to a scam by recognizing the signs of social engineering, WREG reports. Kay and Bill Pritchett received six different phone calls from a scammer claiming to be from Publishers Clearing House. The scammer told Bill that he had won a runner-up prize.

“He said you have won a million and a half dollars,” Bill said. “I thought wow, too. He said you have won a 2020 Mercedes automobile. The only problem with that is we only have three colors left. I can see where someone would fall for this. With COVID and people hurting for money and all that. He said, by the way, he also said you get 3,000 dollars a week for life.”

Notably, the scammer didn’t ask them for money. Instead, he instructed Bill to set up a new checking account.

“He wanted me to go to my bank and open a checking account in my name,” Bill. “He stressed right then, don’t put any money in it. And, get a photocopy of your identification so we can verify that it is you.”

Fortunately, Bill and Kay knew this would set them up for identity theft and they refused to comply, despite the scammer calling them repeatedly. Even so, the couple said this scammer was more persuasive than others they had encountered, since it was a real person on the line.

“The thing about him was he was good at what he done,” Bill said. “He was a salesman.”

WREG notes that Publishers Clearing House doesn’t call winners ahead of time, they won’t ask for personal or financial information. Kay pointed out that scammers take advantage of people’s emotions to get them to act against their better judgement.

“You want to make money; you want something free,” Kay said. “It’s like playing scratch tickets, you want that money, right now. So it is tempting to do it.”

While Kay and Bill avoided falling for the scam, the couple decided to share their story to help other people be vigilant.

“You get senior citizens like us, even young people, fall for stuff like this all the time,” Kay said.

New-school security awareness training can help your employees defend themselves against scams in their personal and professional lives.


Remote Workers Disregard Security Awareness Training

According to new research from Mimecast, remote workers are increasingly putting their organizations at risk by failing to follow security awareness training best practices.

Mimecast polled 1000 global respondents working from corporate workstations to compile the latest report, Company-issued computers: What are employees really doing with them?

In the report there was tons of risky behavior. For example, 73% of respondents frequently use their company-issued device for personal matters such as checking webmail (47%), carrying out financial transactions (38%) and online shopping (35%).

It also revealed that, although most (96%) of the respondents said they were aware of the repercussions of clicking through on malicious phishing links, nearly half (45%) open emails they consider to be suspicious.

This is despite the fact that 64% claimed to have received special security training to equip them better for the new normal of working from home. Nearly half (45%) also admitted to not reporting such emails to their IT security teams.

“Employees need to be engaged, and training needs to be short, visual, relevant and include humor to make the message resonate. Awareness training can’t be just another check-the-box activity if you want a security conscious organization.”

As organizations continue to work in a remote environment, it’s important to implement frequent phishing tests to ensure your users are always aware of the latest attacks.