27Jan

Confident About Detecting Spoofed, Scam Emails?

January 27, 2021By 0 comment

A survey by ESET found that most people think they’d be able to identify scam emails while shopping online. 87% of respondents said they felt secure while shopping online, while 73% believed they would be able to spot a phishing email impersonating an online retailer. Only 38%, however, said they felt “very secure” online. Unsurprisingly, the survey found a dramatic increase in online shopping since the onset of the pandemic.

“The ESET Global FinTech Study examined the online shopping and cybersecurity habits of 2,000 consumers in the United States and 8,000 consumers across the UK, Australia, Japan, Mexico and Brazil, and found that 70 percent of Americans are shopping more online than they did before the pandemic, with 36% doing so ‘much more often’ than before,” ESET says. “Forty-four percent said they expected to do more online shopping post-pandemic; however, 17% expect to do less, while 32% say their habits will not change compared to their current ones.”

Tony Anscombe, ESET’s chief security evangelist, said that people can be expected to continue shopping online more often even after the pandemic subsides.

“Our lives were becoming increasingly digitized even before COVID-19 hit and now, as we begin to enter a new phase of the pandemic, consumers will likely maintain much of the online habits they became used to during the lockdown, particularly shopping online,” Anscombe said. “With this continued reliability on using the internet for many of our daily routines, it is imperative that the devices and technologies we use to share our most sensitive information are protected to the highest standard and that people understand how to protect themselves.”

Confidence is fine, we suppose, but overconfidence? Not so much. As phishing emails grow more realistic and harder to distinguish from the real thing, it’s important not to grow complacent about your ability to spot these schemes. New-school security awareness training with simulated phishing tests can teach your employees to identify social engineering attacks in their personal and professional lives.

READ MORE
26Jan

CISA’s New Anti-Ransomware Campaign

January 26, 2021By 0 comment

The US Cybersecurity and Infrastructure Security Agency is launching a campaign to raise awareness of the ways organizations can defend themselves against ransomware attacks.

“Ransomware is increasingly threatening both public and private networks, causing data loss, privacy concerns, and costing billions of dollars a year,” CISA stated. “These incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services. Malicious actors have adjusted their ransomware tactics over time to include pressuring victims for payment by threatening to release stolen data if they refuse to pay and publicly naming and shaming victims as secondary forms of extortion.”

CISA’s Acting Director Brandon Wales noted that any type of organization can be targeted by these attacks.

“CISA is committed to working with organizations at all levels to protect their networks from the threat of ransomware,” Wales said. “This includes working collaboratively with our public and private sector partners to understand, develop and share timely information about the varied and disruptive ransomware threats. Anyone can be the victim of ransomware, and so everyone should take steps to protect their systems.”

The agency says the campaign will have an emphasis on healthcare and educational institutions.

“In this campaign, which will have a particular focus on supporting COVID-19 response organizations and K-12 educational institutions, CISA is working to raise awareness about the importance of combating ransomware as part of an organization’s cybersecurity and data protection best practices,” the agency said. “Over the next several months, CISA will use its social media platforms to iterate key behaviors or actions with resource links that can help technical and non-technical partners combat ransomware attacks.”

The vast majority of ransomware attacks begin when an attacker gains a foothold via a phishing attack or an exposed RDP port. New-school security awareness training can give your organization an essential layer of defense by enabling your employees to recognize social engineering tactics and follow security best practices.

READ MORE
25Jan

Thousands of Stolen Credentials Accessible via Google Search as Cybercriminals Accidentally Make Them Public

January 25, 2021By 0 comment

A publishing goof by cybercriminals on a WordPress site made files containing stolen passwords indexable by Google and were subsequently publicly available via search.

What initially started as a Xerox scan notification scam intent of stealing victim’s Office 365 credentials became a story of how even the bad guys make mistakes. According to a new report from Check Point, the attackers made a publishing mistake, causing the files containing the stolen passwords to be exposed across dozens of drop-zone servers.

Indexed by Google, the passwords could have been (or possibly were) used by opportunistic hackers if they knew what to search for. According to Check Point, they were able to find dozens of compromised WordPress servers hosting the malicious PHP files that collected and stored the compromised credentials.

Sure, it’s a rather big “if”, but it does go to show you that once a credential is compromised, you have no idea who has access to it, nor how it will be used to further cybercriminal activity.

The way to avoid such situations is to instruct users via Security Awareness Training on how to identify phishing attacks that use brand impersonation (such as Microsoft) to trick victims into giving up credentials in the first place.

Are your user’s passwords…P@ssw0rd?

Employees are the weakest link in network security, using weak passwords and falling for phishing and social engineering attacks. KnowBe4’s complimentary Weak Password Test (WPT) checks your Active Directory for several different types of weak password related threats.

wpt02Here’s how it works:

  • Reports on the accounts that are affected
  • Tests against 10 types of weak password related threats
  • Does not show/report on the actual passwords of accounts
  • Just download the install and run it
  • Results in a few minutes!
READ MORE
22Jan

[INFOGRAPHIC] Q4 2020 Work From Home Phishing Emails on the Rise

January 22, 2021By 0 comment

KnowBe4’s latest quarterly report on top-clicked phishing email subjects is here. These are broken down into three different categories: social media related subjects, general subjects, and ‘in the wild’ attacks .

Hackers continue to Prey on a Remote Workforce

Phishing email attacks leveraging COVID-19 were on every quarterly report in 2020, but there were not as many at the top of the list in Q4 as in previous quarters. However, we still see a lot of subjects related to working remotely as well as security-related notifications.

“It’s no surprise that phishing attacks related to working from home are increasing given that many countries around the world have seen their employees working from home offices for nearly a year now,” said Stu Sjouwerman, CEO, KnowBe4. “Just because employees may be more used to their home office environment doesn’t mean that they can let their guard down. The bad guys deploy manipulative attacks intended to strike certain emotions to cause end users to skip critical thinking and go straight for that detrimental click.”

Don’t Dismiss Social Media as a Phishing Concern

We have seen a pattern of fake LinkedIn messages topping this list for the past three years. There is likely a perception that these emails are legitimate because they appear to be coming from a professional network. It’s a significant problem because many LinkedIn users have their accounts tied to their corporate email addresses. Top-clicked subjects in this category reveal password resets, tagging of photos and new messages.

See the Infographic with Top Messages in Each Category for Last Quarter:

Q42020-Full

Click here to download the full infographic (PDF).  Great to share with your users!

In Q4 2020, we examined tens of thousands of email subject lines from simulated phishing tests. We also reviewed ‘in-the-wild’ email subject lines that show actual emails users received and reported to their IT departments as suspicious. The results are below.

The Top 10 Most-Clicked General Email Subject Lines Globally for the past quarter Include:

  1. Password Check Required Immediately
  2. Touch base on meeting next week
  3. Vacation Policy Update
  4. COVID-19 Remote Work Policy Update
  5. Important: Dress Code Changes
  6. Scheduled Server Maintenance — No Internet Access
  7. De-activation of [[email]] in Process
  8. Please review the leave law requirements
  9. You have been added to a team in Microsoft Teams
  10. Company Policy Notification: COVID-19 – Test & Trace Guidelines

Most Common‘In-The-Wild’ Emails in Q4 2020 Included:

  • IT: Annual Asset Inventory
  • Changes to your health benefits
  • Twitter: Security alert: new or unusual Twitter login
  • Amazon: Action Required | Your Amazon Prime Membership has been declined
  • Zoom: Scheduled Meeting Error
  • Google Pay: Payment sent
  • Stimulus Cancellation Request Approved
  • Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription
  • RingCentral is Coming!
  • Workday: Reminder: Important Security Upgrade Required

*Capitalization and spelling are as they were in the phishing test subject line.
**Email subject lines are a combination of both simulated phishing templates created by KnowBe4 for clients, and custom tests designed by KnowBe4 customers.

See results from all previous quarters in our Top Clicked Phishing Email Subjects topic.

READ MORE
21Jan

Charming Kitten Phishing and Smishing Attacks Use Legitimate Google Links and a Tricky Redirection Strategy to Fool Security Solutions

January 21, 2021By 0 comment

This breakdown of the latest attack from the Charming Kitten cybercriminal gang shows just how much thought goes into obfuscating their tactics and evading detection.

I’ve covered stories in the past where phishing attacks utilized well-known domains to keep from being detected, such as SharePoint Online, where the initial target site is credible enough to keep some security solutions from seeing the link as being malicious.

In the case of a recent attack by Cybercriminal group Charming Kitten (also known as APT35), the attack uses some pretty sophisticated tactics to avoid detection:

  • The initial link send in text or email is a google.com link that points to a script.google.com address with some specific parameters including an identifier so the bad guys know it’s one of their redirects
  • The script.google.com matches the included identifier and redirects the visitor to a predefined unique URL for that specific victim
  • The third URL used is a redirection short URL. The really brilliant part is that initially, when used in conjunction with email-based phishing, the redirect points to a legitimate and benign webpage so that email scanners that traverse redirection will see it as legitimate. Once the email hits the Inbox, the redirect is changed to the malicious address
  • Once the victim hits the final malicious address, a spoofed logon page is presented to attempt to steal the victim’s google credentials
  • The user-specific malicious redirect is reconfigured back to a legitimate domain to hide the tracks of Charming Kitten

It’s evident that folks like Charming Kitten are putting a lot of effort and thought into avoiding detection before, during, and after the attack. This makes is nearly impossible for security solutions alone to protect users from such attacks. Users themselves need to be educated using Security Awareness Training to be watchful for unsolicited email and text messages – even when they appear to come from Google.

READ MORE
20Jan

Familiar Advice, but Worth Repeating

January 20, 2021By 0 comment

Researchers at ESET outline some security best practices to avoid falling for phishing emails. In an article for TechZone360, the researchers explain how to identify suspicious links.

“Before clicking on an embedded link in the body of an email, inspect it first!” ESET says. “Hackers often conceal malicious links within emails, and mix them with genuine links to trick you. If the hyperlinked text isn’t identical to the URL that pops up when you hover over the link, that’s a sign of a malicious link. It might take you to a site you don’t want to visit, or even install a virus on your computer. To prevent this from happening, don’t trust any unmatching URLs or links that seem irrelevant to the content in the rest of the email.”

Additionally, attackers can easily create deceptive email addresses, in some cases after compromising a legitimate server.

“Cybercriminals often create new email addresses for phishing scams,” ESET says. “Hover over the sender’s email address and make sure it matches other emails you’ve received from that person or company and doesn’t contain any additional numbers or letters. For example, johnsmith@telstra[.]com is more legitimate than johnsmith24@telstra[.]com or johnsmith@telstra24[.]com. While some companies do use varied domains or third-party providers to send emails, that’s the exception — not the rule. So, be wary of any emails with unusual addresses.”

Finally, while some phishing emails will have perfect spelling and grammar, typos and awkward writing are major red flags.

“Poorly written or grammatically incorrect emails are a dead giveaway of a scam,” ESET writes. “If you spot typos or mistakes in the subject line, don’t open the email because it could be a phishing scam. And if you read an email and it’s riddled with mistakes or odd turns of phrase, that points to a potential scam. Emails from legitimate companies are often crafted by professional writers and edited for spelling and syntax. Interestingly, many cybersecurity professionals believe that hackers write ‘bad’ emails on purpose to hook the most gullible targets.”

Phishing emails can target anyone, and attackers only need to fool one employee to gain a foothold within your network. New-school security awareness training with simulated phishing tests can help your employees recognize these attacks.

READ MORE
19Jan

Data Activist Group Publishes Exfiltrated Ransomware Data Previously Available Only on the Dark Web

January 19, 2021By 0 comment

A small group known as Distributed Denial of Secrets, or DDoSecrets, works to make data stolen as part of ransomware attacks available to journalists.

The idea of your organizations data being published on the dark web is a scenario every organization wants to avoid. Bad guys with access to company secrets, customer data, and personal information never adds up to something good. It’s the reason this tactic is so influential on ransoms being paid today.

Most often, when ransoms haven’t been paid, data was published on a site available on the Dark Web. Maze took some of their plundered data and posted it to a publicly-viewable website on the Internet.

But the most recent development in the area of extorted data being published comes from DDoSecrets, a data anti-privacy group that has taken over a terabyte of data from organizations covering industries that include pharmaceuticals, manufacturing, finance, software, retail, real estate, and oil and gas, and posted the data to a publicly-accessible website.

Their goal is to make those very same corporate secrets that are already published on the dark web available to the world. According to a Wired story about DDoSecrets, their cofounder Emma Best seemed to hope the data would contain evidence of corporate malfeasance or perhaps intellectual property that could be used to “serve the public good”. It’s evident from the article, DDoSecrets is an activist group and an agenda to share data, no matter whether it may hurt corporations.

It was already evident that your organization cannot afford to be the victim of a ransomware attack. But with new players appearing like DDoSecrets with additional agendas of how to use the published data that can be just as harmful, you know it’s now imperative to put as much defense in place to stop ransomware attacks from being successful in your organization.

READ MORE
18Jan

The 10 Phases Of Organizational Security Awareness

January 18, 2021By 0 comment

After 10 years of continued expansion in the security awareness space and providing our platform to tens of thousands of customers, we have observed a certain progress of organizational security awareness over time.

The speed of this progress is different by org size, geolocation, and industry, but we see this same pattern return over and over. In certain cases some steps are omitted. In other cases a few steps are taken at the same time. Ultimately however, most orgs see the same ultimate ideal scenario.  Let’s step through these 10 phases and you can determine where you are in your own organization in this process.

1) Increased Technical Awareness for Infosec and IT Pros

Infosec and IT Pros feel the pain first. Infected workstations and ransomware attacks keep them on the defense and backlogged. Many of these professionals see the need for security awareness, but sometimes have been discouraged by the unworkable old-school practice of stepping users through 15 minutes of compliance-driven training. Quite a few of these pros understand the risks of relying on software-driven controls only.

2) Awareness Content Delivery for end-users

Here is where first-generation training videos replace the break-room death-by-PowerPoint presentations, usually not very well trackable but it’s a start.

3) Platform Automation Enables Compliance Requirements

Automating the process of training delivery through a (in- or external) Learning Management System (LMS) so that compliance requirements are easier to fulfill. This is very dependent on the size of the org; larger ones have an on-prem or cloud-based LMS used for general training purposes.

4) Continuous Testing

This phase demonstrates a significant shift toward the ‘Zero Trust’ model where the employee after training gets tested frequently to make sure that the acquired knowledge has actually become a skill that is applied in practice and does not disappear over time (use it or lose it).

5) Security Stack Integrations

At this stage, “phish alert buttons” are deployed to the end-users’ email client so that they can report any phishy emails to the Incident Response team or SOC who can then take action.

6) Security Orchestration

The next phase is that these reported emails are integrated into a security workstream which quickly evaluates the risk level and in case an active attack is in progress, can automatically reach into the inbox of all users and rip out malicious messages before further damage is done.

7) Advanced User Behavior Management

Having in-depth risk metrics about both individual and groups of users, orgs can now create tailored campaigns based on observed risky behavior. An example is scanning the dark web for breached org credentials, bad password usage and send individual training modules to those high-risk users.

8) Adaptive Learner Experience

The next phase is the end-user having a localized UI where they go and can see their individual risk score, get badges, and start to participate in the learning experience. Also, this phase is when advanced metrics allow AI-driven campaigns where each user gets highly individualized security awareness training.

9) Active User Participation In Security Posture

Here is where the user becomes aware of their role in your orgs’ defense and actively chooses additional training to reduce their risk score. They participate in awareness campaigns, become a local awareness champion, and understand they themselves have become the endpoint.

10) Human Endpoint As Strong Last Line Of Defense

The ultimate state where each employee is sufficiently aware of the risks related to cyber security, and makes smart security decisions every day, based on a clear understanding of those risks. The current WFH environment has accelerated the need for this significantly.

10-phases-security-awareness-knowbe4

READ MORE
16Jan

68% of Organizations Experiencing One Cyberattack Experience a Second Within 12 Months!

January 16, 2021By 0 comment

New data from cybersecurity vendor CrowdStrike shows just having security technologies in place won’t prevent one… let alone two… cyberattacks.

It’s a longstanding belief that organizations should consider themselves becoming a victim of a cyberattack as a case of when and not if. The latest from CrowdStrike’s CrowdStrike Services Cyber Front Lines Report provides some insight into some of the why and how of cyberattacks in the last 12 months. Do keep in mind this is written by CrowdStrike’s own services team perspective, so some of the data within revolves around the organization’s sampled having CrowdStrike software and services employed.

There are a few themes that point to reasons why both the bad guys are working so diligently to compromise your network, and why they’re being successful. According to the report:

  • 63% of the attacks experienced are financially motivated with 71% of those attacks being ransomware
  • 56% of orgs are working from home more often
  • 60% are using personal devices
  • 30% of organizations have their antivirus “were either incorrectly configured with weak prevention settings or not fully deployed across the environment”
  • This resulted in antivirus failing to provide protection in 40% of incidents

I’ve repeatedly said over the years that organizations cannot simply rely on software solutions to intervene when cyberattacks occur. Even in today’s modern use of machine-based learning to help identify phishing scams and malware, the bad guys seem to still find ways to circumvent detection.

That’s why you need to augment your security strategy by shoring up your human firewall – your users. By enrolling them in continual new school Security Awareness Training, they become vigilant naturally, able to quickly assess whether the content they interact with in email or on the web may be malicious in nature – allowing them to avoid interacting with the suspicious content and becoming another stat in a report like CrowdStrike’s.

READ MORE
15Jan

Vaccine Research Companies are the Target of New Ransomware Attacks

January 15, 2021By 0 comment

The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) warns financial organizations to be aware of campaigns actively targeting vaccine companies.

If you’re a ransomware gang and you want to maximize your ransom, who do you attack? An organization working feverishly to potentially make billions of dollars via a desperately needed vaccine, of course! Take away their ability to operate and even access intellectual property and you have yourself a very captive audience that needs to rectify the mess you’ve caused.

In a recent notice, FinCEN warned of two expected types of attacks:

  • Ransomware attacks targeting “vaccine delivery operations as well as the supply chains required to manufacture the vaccines.”
  • Phishing schemes luring victims from financial institutions and their customers with fraudulent information about COVID-19 vaccines.

This notice coincides with attacks we’ve seen on the COVID-19 “cold supply” chain (the part responsible for maintaining temperature-controlled environments for the vaccines), as well vaccine-themed phishing attacks attempting to stead personal information or payment details.

While the first type of attack focuses on a specific sector of business, the second applies to every organization. It’s just as easy for an attacker to impersonate your HR department and send out an email stating that free vaccines will be distributed… and to fill out a form (conveniently a Word doc that needs macros enabled…).

It’s critical that with tensions high and people wanting to get the vaccine, you need to educate your users via Security Awareness Training of these kinds of social engineering scams designed to trick them into engaging with the embedded malicious content.

READ MORE