Number of Ransomware Victim Organizations Nearly Doubles in March

New data shows a resurgence in successful ransomware attacks with organizations in specific industries, countries and revenue bands being the target.

While every organization should always operate under the premise that they may be a ransomware target on any given day, it’s always good to see industry trends to paint a picture of where cybercriminals are currently focusing their efforts. This gives organizations the ability to either shore up security measures today (if they’re a current target) or shore up security measures today anyways (so they’re ready for when they do become the target).

In third-party risk vendor Black Kite’s 2023 Ransomware Threat Landscape Report, we see some interesting trends around successful ransomware attacks today:

  • March of this year saw 410 ransomware victim organizations – nearly double that of April of last year, with only 208
  • The U.S. dominated as the primary focus, with 1171 victim organizations representing 43% of the total victims reported, with the UK, Germany, France, Italy, and Spain combined making up around 20% of victim orgs
  • The largest group of victim organizations by revenue resided in the $50-60m range, with the next two groupings in the $40-50 million and $60-70 million ranges, respectively
  • Manufacturing topped the list of industries, with “Professional, Scientific, and Technical Services” coming in second, representing nearly 35% of all victim organizations

4-7-23 Image

 

 

 

 

 

 

 

Source: Black Kite

In summary, it appears like cybercriminals are focused on mid-market, U.S.-based organizations that likely have a material amount of intellectual property and/or sensitive data.

This, of course, doesn’t mean if you’re not in that specific demographic you’re off the hook; nothing could be further from the truth. The Black Kite data shows where the focus is today. But there’s always a new player looking for a niche victim demographic they can nestle themselves into, making it necessary to shore up all security – including your user’s vigilance against phishing and social engineering attacks via Security Awareness Training.

READ MORE

Blocking Social Engineering by Foreign Bad Actors: The Role of the New Foreign Malign Influence Center

The U.S. government created a new office to block disinformation. The new Foreign Malign Influence Center (FMIC) oversees efforts that span U.S. military, law enforcement, intelligence, and diplomatic agencies.

The FMIC was established on September 23 of last year after Congress approved funding, and is situated within the Office of the Director of National Intelligence. The FMIC has the unique authority to marshal support from all elements of the U.S. intelligence community to monitor and combat foreign influence efforts such as disinformation campaigns.

The growing threat of social engineering by foreign adversaries has become a significant concern. By leveraging digital platforms, hostile actors can manipulate public opinion, foment discord, and undermine democratic institutions. To address this pressing issue, the newly established Foreign Malign Influence Center aims to counter social engineering efforts by foreign bad actors, working to protect our society from this insidious form of cyber warfare.

One of the key aspects of the Center’s strategy is fostering partnerships with like-minded institutions. By building a strong collective defense against social engineering, the organization can ensure that a diverse range of expertise and perspectives contribute to the fight against foreign influence.

Done right, the FMIC has the potential to be a valuable ally in the fight against social engineering by foreign bad actors. However, its success will depend on its ability to work collaboratively with partners, operate within legal and ethical boundaries, and stay focused on the genuine threats to our democratic institutions.

READ MORE

New Survey Reveals Employees are the Attack Surface

A survey by Tanium has found that IT security professionals in the UK say that 64% of avoidable cyber attacks are due to human error, which usually involves falling for phishing attacks. More than half of the respondents said that loss of productivity would be their main concern following a cyber attack.

“The largest number of survey respondents (56 percent) speculate that ‘loss of productivity’ would have the biggest post-breach impact, followed by ‘loss of clients and/or revenue’ (52 percent),” the researchers say. “However, it’s worth noting that these two answers have a mutual association – downtime. Following two years of pandemic disruption, organisations are naturally sensitive to anything that interferes with business as usual.”

The survey also found that the majority of respondents believe that spending money on security defenses is cheaper than sustaining a cyberattack.

“Forward-thinking organisations will already be acting to pay down the technical debt of their legacy systems,” the researchers write. “85% of security pros in our survey admit that ‘it costs more to recover from a cybersecurity incident than to prevent one.’”

Tanium concludes that organizations should invest in a defense-in-depth strategy that includes employee training.

“These statistics highlight that there is ample scope for cyber teams to make improvements in many areas that are under their influence and control,” the researchers write. “As an illustration, almost half of the organisations surveyed (43 percent) said they intend to invest more in ‘employee awareness training.’ This prevention-first approach is one way to reduce vulnerabilities that are often caused by human error or lack of education on cyber matters.”

New-school security awareness training can give your organization an essential layer of defense by teaching your employees to recognize and thwart social engineering attacks.

CIO has the story.

READ MORE

[HEADS UP] Russian Hacker Group Launches New Spear Phishing Campaign with Targets in US and Europe

The Russian-based hacking group Seaborgium is at it again with increased spear phishing attacks targeting US and European countries in the last year.

Last month, I previously wrote about Seaborgium launching a phishing campaign with targets in the UK. Now these threat actors have taken one step further with fake personas, social media accounts, and academic papers to lure their victims into replying to their phishing emails. They have also widened their net to multiple regions across the globe with a new focus on the US and additional regions within Europe. Each successful attack means the threat actor is able to refine their fake profiles to be more convincing and lure future victims.

Journalists are also becoming a target for multiple Russian hacking groups. Since journalists hold sensitive information, it could serve as high value to execute cyber espionage for the Russian state-sponsored groups.

While spear phishing campaigns continue to increase in sophistication, the root cause stems from social engineering. Whether it was specific language in the email or a convincing fake profile, threat actors are refining commonly used social engineering tactics to ensure your users fall victim to their attack.

Thankfully, there are ways to identify if your organization is being targeted. We have several tips for preventing a spear phishing attack from targeting your users:

  • First of all, you need all your defense-in-depth layers in place. Defending against attacks like this is a multi-layer approach. The trick is to make it as hard as possible for the attacker to get through and to not rely on any single security measure to keep your organization safe.
  • Do not have a list of all email addresses of all employees on your website, use a web form instead.
  • Regularly scan the Internet for exposed email addresses and/or credentials, you would not be the first one to find one of your user’s username and password on a crime or porn site.
  • Never send out sensitive personal information via email. Be wary if you get an email asking you for this info and when in doubt, go directly to the source.
  • Enlighten your users about the dangers of oversharing their personal information on social media sites. The more cybercriminals know, the more convincing they can be when crafting spear phishing emails.
  • Users are your last line of defense! They need to be trained using new-school security awareness training and receive frequent simulated phishing emails to keep them on their toes with security top of mind. We provide the world’s largest content library of security awareness training combined with best in class pre- and post simulated phishing testing. Since 91% of successful attacks use spear phishing to get in, this will get you by far the highest ROI for your security budget, with visible proof the training works!
READ MORE

Hackers Work Around ChatGPT Malicious Content Restrictions to Create Phishing Email Content

Active discussions in hacker forums on the dark web showcase how using a mixture of the Open AI API and automated bot from the Telegram messenger platform can create malicious emails.

It’s good that from the start, creators of ChatGPT put in content restrictions to keep the popular AI tool from being used for evil purposes. Any request to blatantly write and email or create code that will be misused to victimize another person is met with an “I’m sorry, I can’t generate <content requested>” response.

I wrote previously about ways ChatGPT could be misused – as long as the intent for the generated content isn’t divulged to the AI engine. New research from Checkpoint shows a number of examples of dark web discussions about how to bypass restrictions intent on keeping threat actors from using ChatGPT.

In essence, a hacker has created a bot that works within the messenger service Telegram to automate the writing of maliciously-intended emails and malware code.

8

9

Source: Checkpoint

Apparently the API for the Telegram bot does not have the same restrictions as direct interaction with ChatGPT. The hacker has gone as far as to establish a business model charging $5.50 for every 100 queries, making it inexpensive and easy for anyone wanting a well-written phishing email or base piece of malware.

This only means more players can get into the game without the barrier of needing to know how to write well or to code. It also means employees need to be far more vigilant than ever before – something taught with continual Security Awareness Training – scrutinizing every email to be absolutely certain that the content, sender, and intent is legitimate before ever interacting with them.

READ MORE

Spear Phishing Attacks Increase 127% as Use of Impersonation Skyrockets

Impersonation of users, domains, and brands is on the rise, as is the use of malicious links, in response to security vendors improving their ability to detect malicious attachments.

I talk often about the back-and-forth that exists between cybercriminal groups and security vendors. Security solutions improve their detection capabilities, and threat actors work tirelessly to find new ways to evade detection. New data found in GreatHorn’s 2023 State of Email Security report shows that this is exactly what’s been happening in the last 12 months. Let me paint the picture for you – according to the report, in 2022:

  • Microsoft and Google have improved their attachment scanning capabilities
  • Spear phishing increases 127% to focus specific scam themes on specific targets
  • Executive Impersonation jumps 344% making the attack seemingly come from a trusted source
  • 43% of all potentially dangerous emails are now impersonation emails
  • All of the top 20 malicious links used were from compromised domains with positive reputation scores to bypass native scanning controls, such as those used by various Google services

In essence, the cybercriminals now realize they can’t really use malicious attachments, so they’re realizing they need to find a balance between great social engineering against targeted victims, use of impersonation, and the use of legitimate sites to host the malicious payload to achieve this next evolution of attacks.

According to GreatHorn, most attacks take between 1 and 4 steps to get the victim user to interact with the malicious payload.

graph showing the steps it takes users to get to malicious payload

Source: GreatHorn

This means you have a bunch of users that unwittingly follow a set of unusual and unnecessary clicks that they should know better than to follow – something they learn very quickly if they are enrolled in new school Security Awareness Training. Attackers will continue to evolve their craft, so your users need to stay up-to-date on the latest attacks.

READ MORE

Be Wary of Survey Scams

Online surveys are too often scams designed to steal personal or financial information, warns Phil Muncaster at ESET. Muncaster explains that these surveys are usually distributed via phishing or by ads on websites, impersonating trusted brands and offering phony rewards:

  • “The scam often begins with an unsolicited email or text/message likely spammed out to countless other victims. This is basically a phishing message designed to lure the recipient into participating by clicking through.
  • “It often features a well-known brand to add a sense of legitimacy and encourage the victim to participate. In December 2022, a popular survey scam abused the brand of chocolate-maker Cadbury to do this – promising recipients the chance to win ‘an exclusive Christmas Chocolate Magic Basket’ if they took a short quiz.
  • “The scam may feature a thematic lure – such as the Christmas Cadbury one, or the supposed ‘40th anniversary’ of wholesaler Costco which was used in a June 2022 campaign in South America.”

These scams can cause varying degrees of damage. Many are focused on collecting information, and others attempt to trick the user into installing malware or transferring money. Muncaster offers the following recommendations to help users avoid falling for these scams.

  • “Look out for any offers that seem too good to be true. It could be a large cash prize for just a few minutes work, or an expensive gift.
  • “Watch out for typos or poor grammar – it could be a sign that things aren’t quite right.
  • “Shortened URLs might also indicate fraud.
  • “Time-limited offers are another way for scammers to turn up the pressure on their victims.
  • “Some senders may be vague about who’s running the survey – with no ‘contact us’ link to follow.
  • “If the sender uses a free webmail account, then the survey is likely to be a scam.”

It’s worth noting that such scam surveys represent a business as well as a personal risk. Many of them are cast as business-to-business surveys to take the temperature of a market, or to gauge the climate of opinion among customers. New-school security awareness training can enable your employees to thwart social engineering attacks.

READ MORE

[Scam Of The Week] The Turkey-Syria Earthquake

Just when you think they cannot sink any lower, criminal internet scum is now exploiting the recent earthquake in Turkey and Syria.

Less than 24 hours after two massive earthquakes claimed the lives of thousands of people, cybercrooks are already piggybacking on the horrible humanitarian crisis. You need to alert your employees, friends and family… again.

Just one example are scammers that pose as representatives from a Ukrainian charity foundation that seeks money to help those affected by the natural disasters that struck in the early hours of Monday.

There are going to be a raft of scams varying from blood drives to pleas for charitable contributions for victims and their families. Unfortunately, this type of scam is the worst kind of phishbait, and it is a very good idea to inoculate people before they get suckered into falling for a scam like this. I suggest you send the following short alert to as many people as you can.

[ALERT] “Lowlife internet scum is trying to benefit from the Turkey-Syria earthquake. The first phishing campaigns have already been sent and more will be coming that try to trick you into clicking on a variety of links about blood drives, charitable donations, or “exclusive” videos. Don’t let them shock you into clicking on anything, or open possibly dangerous attachments you did not ask for!

 

Anything you receive about this recent earthquake, be very suspicious. With this topic, think three times before you click. It is very possible that it is a scam, even though it might look legit or was forwarded to you by a friend — be especially careful when it seems to come from someone you know through email, a text or social media postings because their account may be hacked.

 

In case you want to donate to charity, go to your usual charity by typing their name in the address bar of your browser and do not click on a link in any email. Remember, these precautions are just as important at the house as in the office, and tell your friends and family.”

It is unfortunate that we continue to have to warn against the bad guys on the internet that use these tragedies for their own benefit. For KnowBe4 customers, we will soon have a few templates with this topic in the Current Events. It’s a good idea to send one to your users this week.

READ MORE

Initial Access Brokers Leverage Legitimate Google Ads to Gain Malicious Access

A threat actor tracked as DEV-0569 appears to be using a combination of Google Ads and impersonated websites to compromise credentials and distribute malware to gain network access.

These days there is plenty of talk about Initial Access Brokers, but often, little is known about their specific actions other than the resulting presence of access to networks and assumptions that they are using the same tactics and techniques as cybercriminals that are responsible for an entire attack.

Recent Twitter posts from cybersecurity researchers like Germán Fernández, DEV-0569 is using Google ads to infect victim machines.

According to Bleeping Computer, the ads are for software titles including LightShot, Rufus, 7-Zip, FileZilla, LibreOffice, AnyDesk, Awesome Miner, TradingView, WinRAR, and VLC.

ab-ads

Source: Bleeping Computer

This ad takes victims to a lookalike website where the desired tool (read: malware) can be downloaded and installed. In the end, a foothold is established by DEV-0569 on an endpoint within a victim organization, with its access sold on the dark web.

The use of ads is a smart use of social engineering. When’s the last time you assumed a Google ad was not only illegitimate, but malicious? Right… never.

This kind of simple innovation is why organizations – including and especially members of IT – need to undergo continual Security Awareness Training that keeps them up to date on the latest social engineering tactics and phishing scams. The alternative is, eventually, one of these malicious methods is going to fool just the right person within your organization.

READ MORE

Yahoo Suddenly Rises in Popularity in Q4 to Become the Most Impersonated Brand in Phishing Attacks

Completely absent from the top 10 brands for more than two years, Yahoo’s impersonation may indicate that scammers are looking for new attack angles using lesser-used brands.

Yes, of course, Yahoo is anything but insignificant. With revenues topping $8 billion, the search engine giant is still quite relevant today. But in the world of phishing attacks using the impersonation of a major brand, Yahoo was down near 24th place. That is, until last quarter, when – according to CheckPoint’s security analysts determined that Yahoo jumped up 23 places to top the list of Top 10 Impersonated Brands in Q4 of 2022.

Surpassing brands we’ve become accustomed to seeing in the top 5 such as Microsoft, DHL, LinkedIn, Google, and Amazon, Yahoo was previously an impersonation afterthought. But it’s popularity last quarter indicates that there is a resurgence in its’ use as a known and trusted brand that can give scammers just enough credibility to see their phishing attacks succeed.

Offering awards and significant amounts of money, according to CheckPoint, the Yahoo-themed phishing scams sought to trick victims into giving up personal information – including Yahoo credentials.

The use of Yahoo’s brand says a few things about the state of phishing attacks. First, you only need a widely known brand – in essence, any known brand – to launch an impersonation scam. Second, we can only assume the attackers are seeing material success to jump 23 places. Third, with lots of impersonated brands representing those who organizations like your do business with (e.g., DHL, UPS, banks, etc.), users need to be educated through Security Awareness Training that just because you no longer see the impersonation equivalent of the age-old “Nigerian Prince” scam doesn’t mean it can’t pop up in an Inbox today.

 

READ MORE