Gallery

14Jan

Employees Are Too Trusting of Workspace Tools

January 14, 2021By TecAdmin0 comment

A study by Avanan has found that users tend to trust workplace communication tools such as Microsoft Teams, Slack, and Google Hangouts, even though these platforms are subject to many of the same risks as traditional email. For example, if an attacker phishes a user’s Office 365 credentials, they can then access the user’s Teams account and message the victim’s contacts. Avanan’s CEO Gil Friedrich told SC Media that many organizations have third-party partners tied into their Teams environment, which increases the level of risk.

“[Y]ou should be more careful in those environments with data you share as well as that with the things you download, etc., because you can’t really control the security of your partners,” Friedrich said.

Avanan’s report describes one incident in which an attacker gained access to one employee’s Teams account, then sent a malicious GIF to another employee. When the other employee clicked the GIF, the attacker received their session token, which enabled the attacker to impersonate that employee and gain access to their files. The attacker continued using this technique to impersonate additional users and gain access to more content.

In another instance, a hacker lurked within an organization’s Teams environment for nearly a year before sending a malware-laden file.

“[U]nlike traditional spray-and-pray campaigns we see in compromised email accounts, this hacker acted differently on Teams,” the report says. “For that year, the hacker did not contribute once in the channel. Instead, the hacker listened, collected data and waited for an opportunity. This is a new revelation. In order to evade detection in this new medium, hackers would rather wait for when they can make the biggest impact with the least possible detection. When an opportunity arrived and sharing a file was part of a natural chat conversation, the hacker shared a zip file, which included a version of a malware kit designed for desktop monitoring and configured to install silently upon clicking the file. This Remote Access Trojan would have given the attacker full access to monitor and control the victim’s desktop.”

New-school security awareness training can give your employees a healthy sense of suspicion so they can identify red flags, no matter which online service they’re using.

13Jan

How Crime Pays, Ransomware Edition

January 13, 2021By TecAdmin0 comment

The Ryuk ransomware operators have raked in more than $150 million from their attacks, researchers at Advanced Intelligence and HYAS have found. The researchers describe how these operators are able to demand such large ransoms and then successfully launder the money into fiat money.

“Our research involved tracing payments involving 61 deposit addresses attributed to Ryuk ransomware,” they write. “The Ryuk criminals send a majority of their Bitcoin to exchanges through an intermediary to cash out. The two primary (known) exchanges are Huobi and Binance, both of which are located in Asia. Huobi and Binance are interesting choices because they claim to comply with international financial laws and are willing to participate in legal requests but are also structured in a way that probably wouldn’t obligate them to comply.”

The researchers also note that, unlike some other, more lenient, ransomware operators, the Ryuk gang is merciless when its victims are unable to pay. This group is also known for intentionally targeting hospitals.

“With the limited visibility available to analysts, it is painfully clear that the criminals behind Ryuk are very business-like and have zero sympathy for the status, purpose, or ability of the victims to pay,” the researchers say. “Sometimes the victims will attempt to negotiate with Ryuk and their significant offers are denied with a one-word response. Ryuk did not respond or acknowledge one organization that claimed to be involved in poverty relief and lacked the means to pay.”

The researchers conclude that technical defenses are often insufficient to thwart a ransomware attack once the attackers have gained a foothold within a network.

“Something that becomes glaringly apparent in analyzing ransomware incidents is that the current industry and government-accepted approaches and frameworks for dealing with malware problems aren’t effective,” the researchers write. “Enterprises that suffer from ransomware aren’t infected because they lack up to date antivirus software or because they chose the blue vendor instead of the red vendor. They’re encountering ransomware because they haven’t considered developing countermeasures that will prevent the initial foothold that is obtained by precursor malware like Emotet, Zloader, and Qakbot (to name a few).”

The researchers recommend that organizations restrict the execution of Microsoft Office macros, secure all remote access points with two-factor authentication, and lock down Citrix and Remote Desktop Protocol tools. Most ransomware attacks are a result of unsecured remote access tools or an employee being tricked into enabling macros in an Office document. New-school security awareness training can enable your employees to follow security best practices and thwart social engineering attacks.

12Jan

How to Spot the (Phish) Hook

January 12, 2021By TecAdmin0 comment

Users should act as quickly as possible after they realize they’ve fallen for a phishing attack, according to Mallika Mitra at Money. The faster your IT department can contain a malware infestation or a compromised account, the less damage an attacker can cause.

“If you do fall for a phishing scam on your work email, immediately alert your IT department so they can mitigate the damage on their end and stop it from spreading,” Mitra writes. “If the phish happened on your personal email, run an antivirus scan on your computer by downloading and installing antivirus software to ensure no malware has been installed.”

Mitra also offers useful advice to people who may have handed over personal or financial information to a scammer.

“The FTC lists additional steps to take based on what kind of information you gave the scammer,” Mitra says. “If he got your Social Security number, the agency advises, sign up for regular credit reports, file your taxes early to get a jump on the scammer trying to do the same and consider placing a credit freeze on your report. If he got your banking information, call your bank and ask to close your account and open a new one. Keep a close eye on future transactions: monitor your bank statement for charges you don’t recognize or set up alerts for account balance changes.”

Obviously, it’s still best to avoid falling for a phishing attack in the first place. Mitra says users can thwart these attacks by keeping an eye out for known warning signs as well as being wary of suspicious requests for information.

“The best thing you can do to protect yourself against phishing emails is to be vigilant,” she says. “We’re not telling you to double-check for every red flag we’ve listed in every email you receive, but trust your instincts. If an email seems at all fishy—or makes you panic—take those extra precautions to ensure you’re not giving bad actors free rein over your personal information or compromising your computer system. Keep in mind that Amazon, Target or any of the other organizations scammers pretend to be from probably aren’t going to ask you for details like financial information via an email.”

New-school security awareness training can give your employees a healthy sense of suspicion so they can recognize phishing and other social engineering attacks.

11Jan

It’s Time for Organizations to Begin Propping Up the Human Firewall

January 11, 2021By TecAdmin0 comment

Modern thinking about a comprehensive cybersecurity strategy includes a holistic approach that equally involves your users as a “human element” within your cyber defenses.

I’m guessing your cybersecurity strategy already includes a number of different software solutions that monitor, analyze, authenticate, audit, and report activity on your network and access to internal resources. But I’m glad to see more industry experts discussing the need to include users as part of the strategy to become the “human firewall”.

In the article titled “The human firewall’s role in a cybersecurity strategy”, author Jessica Groopman does a great job defining what the term means (“the line of defense people constitute to combat an organization’s security threats”), as well as offer advice on where organizations need to place their focus to have this part of a solid defense in depth security strategy be as strong as those parts using software solutions.

At the core of building a strong human firewall, Groopman advises that organizations “provide extensive education, simulation, training and relevance to workers”. In other words, Security Awareness Training and Phishing Testing.

08Jan

[HEADS UP] Australian Cyber Security Centre is Being Used in Malware Campaign

January 8, 2021By TecAdmin0 comment

A warning was recently issued by the Australian Government of cybercriminals impersonating the Australian Cyber Security Centre (ACSC) to infect with malware.

These cybercriminals are using social engineering tactics to convince potential victims to install remote desktop software. If successful, these criminals will steal your banking information.

The government issued the following statement, “The Australian Cyber Security Centre (ACSC) warns some Australians are receiving phone calls or emails from scammers claiming to be ACSC employees and that the receiving person’s computer has been compromised.”

The cybersecurity agency has also reported that besides email there has been a number of reports that state a spoofed Australian phone number with a request to download the remote desktop software ‘TeamViewer’ or ‘AnyDesk’. The agency adds in their statement, “The scammer then attempts to persuade recipients to take actions, such as enter a URL into a browser and access online banking services, which then compromises their computer to reveal banking information.”

If you or your users have been targeted in this campaign, please reach out to the ACSC by contacting 1300 292 371 (1300 CYBER 1). It’s also important to train your users of the latest threats. New-school security awareness training can teach your users how to spot and report any suspicious activity with continual user education.

08Jan

Welcome to The InfoSec Neighborhood!

January 8, 2021By TecAdmin0 comment

It looks like KnowBe4 has a new cybersecurity “neighbor” here in Tampa, helping create an even larger presence of tech companies headquartered in Florida.

I’m super excited to see a more tech companies coming to the Tampa area. Since my days with WServerNews and Sunbelt Software, I’ve always felt Tampa was a great place to start a tech company – good weather, near the beach, and a wealth of great people I’ve leaned upon to help grow all of my tech ventures, including KnowBe4.

It appears that my new neighbor is OPSWAT, a tech company focusing on protecting critical infrastructure from cyberattacks. According to recent reports, OPSWAT has chosen Tampa as the location to open up its 10^th office, marking Tampa as their East Coast headquarters. Part of the impetus is likely to be the recent acquisition of Tampa-based network security firm Impulse.

OPSWAT plans on hiring 100 new positions at the Tampa office, adding to its 350-person global workforce. The addition of OPSWAT only helps solidify Tampa’s position as a regional tech hub.

This is great news for Tampa Tech and Tampa in general. I look forward to seeing great things from OPSWAT!

07Jan

KnowBe4 Wins Multiple 2021 “Best of” Awards From TrustRadius

January 7, 2021By TecAdmin0 comment

KnowBe4 is proud to be recognized by TrustRadius in the first-ever “Best of” Awards for usability, customer support, and feature set in the Security Awareness Training software category.

The TrustRadius 2021 Best of Awards in Usability, Support, and Feature Set highlight companies that have gone above and beyond to provide their customers with outstanding customer service, product ease-of-use, and breadth and depth of capabilities in the 2020 year.

To win the “Best of” Awards, each nominated organization had to receive 10 recent TrustRadius reviews in the past year that ranked the highest in Usability rating, Support rating, and the highest rate of reviewer satisfaction with the product’s Feature Set. Winners also had to rank in the top three positions of their category in terms of what percentage of positive responses they earned this year. Additional vetting via textual review analysis was also performed by the TrustRadius research team.

Over 35,000 customers use KnowBe4. Read our customer reviews from verified users who have shared how much they value our security awareness training and simulated phishing platform.

At KnowBe4, we’re proud to create a platform that helps our customers manage the ongoing problem of social engineering and enables users to make smarter security decisions, every day. Thank you for your trust, supporting our work, and for sharing your feedback on TrustRadius.

Are you a KnowBe4 customer and looking to leave your own feedback? We’d love to hear from you. Please share your experience by starting a review here.

07Jan

PayPal Phishing: “Your Account is Limited”

January 7, 2021By TecAdmin0 comment

A PayPal smishing campaign is trying to trick users into handing over their credentials and personal information, BleepingComputer reports. The text messages state, “PayPal: We’ve permanently limited your account, please click link below to verify.” (Note, by the way, the poor command of English idiom. The message includes a comma splice and there’s some uncertainty about the use of articles.)

The link in the message leads to a phishing page that appears identical to PayPal’s login portal (although the URL is clearly different). If a user enters their credentials and clicks “Log In,” they’ll be taken to a second phishing page that asks them to enter their name, address, and bank account details. All of this information will be sent to the attacker.

BleepingComputer says users should be wary of any unsolicited text messages, especially if they contain a link. PayPal does limit accounts when it detects suspicious activity, but you can check the status of your account by going directly to paypal.com instead of clicking on a link in a text message.

“Smishing scams are becoming increasingly popular, so it is always important to treat any text messages containing links as suspicious,” BleepingComputer writes. “As with all phishing emails, never click on suspicious links, but instead go to the main site’s domain to confirm if there is an issue with your account.

The publication also offers advice for people who may have fallen victim to this attack, urging them to be on the lookout for future social engineering attacks that incorporate their personal information.

“If you received this text and mistakenly logged into your PayPal account or provided other information, you should immediately go to Paypal.com and change your password,” BleepingComputer says. “If you use that same password at other sites, change them there as well. Finally, you should look out for other targeted phishing campaigns using the submitted data. BleepingComputer also suggests that you monitor your credit report to make sure fraudulent accounts are not created under your name.”

New-school security awareness training can help your employees defend themselves against these attacks by teaching them to recognize different types of phishing attacks.

06Jan

A Close Look at a Banking Scam

January 6, 2021By TecAdmin0 comment

A phishing campaign is targeting customers of Portugal’s Banco Millennium BCP (Portuguese Commercial Bank), according to Tomas Meskauskas at PCRisk. The emails inform recipients that their bank accounts have been frozen for security reasons, and they’ll need to either confirm their banking credentials or pay a €455 fine in order to regain access. The email contains a button that will take the user to a spoofed BCP login page designed to steal their bank account credentials.

While this campaign relies on users entering their credentials manually, Meskauskas explains that many other phishing attacks try to trick users into installing banking malware. This is usually accomplished by tricking the user into opening an attached Microsoft Office document. The document, when opened, asks the user to click the “Enable content” button in order to view the contents. This button will enable a macro to install malware on the user’s computer.

Meskauskas also stresses the importance of keeping software up-to-date, since older versions of Microsoft Office can run macros automatically.

“It is worthwhile to mention that malicious MS Office documents infect computers only when recipients open them and enable editing/content (macros commands) in them,” Meskauskas says. “However, it applies only to malicious documents that users open with Microsoft Office versions that were released after year 2010. If malicious documents are opened with older versions, then they install malware once they are opened. It is because older versions do not include the ‘Protected View’ mode.”

Meskauskas adds that users should be careful about where they go to download programs and updates.

“Files, programs should be downloaded only from legitimate, official web pages and via direct links,” Meskauskas writes. “It is not safe to use Peer-to-Peer networks, unofficial sites, third party downloaders (and installers), etc. Installed programs that need to be updated and/or activated should be updated and/or activated with tools that are provided by their official developers. Third party updating and activation tools can be (and often are) designed to install malware.”

New-school security awareness training can create a culture of security within your organization by teaching your employees to follow security best practices.

05Jan

Why Small Businesses Often Say ‘Why Bother?’ When Dealing With Cybercrime

January 5, 2021By TecAdmin0 comment

Well, it happened again. As a security professional, I hear a lot of things being said that are exaggerated or just plain untrue. I’ve become used to that, however, there is one phrase that really drives me crazy when I hear it. That phrase is, “Why even bother trying?”

As security professionals, many of us are constantly observing situations in different settings with an eye toward security. Recently, I noticed my doctor entering his password so he could add notes to a patient profile. The password was a single digit. Just…one…digit. I couldn’t let that pass without some fun-loving teasing, which he took very well. This is when he said the magic words. He said he had just read about the SolarWinds debacle and how it had taken over so many networks and he wondered, if they can get into those networks, “why should I even bother trying”? He knows even though he is small that he is still a target. He is not confused about that, as he had heard of many other small medical offices scammed or hit by ransomware.

There it was, out in the open. The truth about how he felt. He feels helpless to defend against the attacks. He said that the person who recently set up his new digital x-ray machine told him he should not connect it to the network, but should take the data from the machine, put it on a USB drive and walk it over to his EMR station and attach it to the record there. He asked the rep why it mattered when it was going into a cloud-based system anyway, to which the rep had no good answer.

The Problem

As security professionals who live immersed in the world of scams and cyber criminal attacks, we sometimes forget that not everyone lives in this world. My chiropractor has patients to care for, the bakery down the street has pastries to finish. They are not cybersecurity experts, but they do handle valuable data, no matter the size of the organization. What they don’t have is the confidence that the time and effort they put into securing things will have any impact.

This feeling of hopelessness in the face of the threat is a real issue. While they may have an MSP (a.k.a. the IT person) that helps, they are usually focused on break/fix activities or setting up new machines, not securing the office. It can be tough to get small business owners to pay for services, like securing devices and people, when they don’t believe that there is value in doing so. Instead, they accept the risk, often without understanding what that risk really is. Even with the looming threat of HIPAA violations and potential fines, they believe that they have to risk it.

Now What?

So, how can we, the cybersecurity industry, help them? It starts with the messaging. We need to educate small business owners on the fact that most of the successful attacks they hear about with their peers is often the result of human error. This error could be sending information to the wrong person, or it could be clicking a bad link in an email. Both can be avoided, or at the very least, the risk can be reduced greatly by working with the staff.

We need to stow the FUD. FUD (Fear Uncertainty and Doubt) is the tool of marketing departments trying to sell “solutions”. We are better than that. We should educate these small business owners on the risks they face and ways to reduce the risk. They need understanding, not fear.

In my opinion, there are very few ways to reduce risk in these organizations that are better than a focus on the human factor since this is the root of so many issues. Before starting, we need to acknowledge the issue without blaming the individuals. Yes, they are the source of a lot of issues, however like the doctor or business owner, they have other jobs to do. To get the best ROI, training needs to be constant, not just a PowerPoint presentation once a year. This means short lessons that are relevant to them and current events. These lessons should cover best practices for password hygiene, spotting phishing emails and text messages and phone calls and tie them to current events. We also need to explain why certain things are so important instead of just telling them to do it.

An example of this is teaching people that reusing passwords is bad. Rather than just demanding compliance, teaching them a little about credential stuffing can help them understand why it’s bad and has a better chance of changing the behavior. Teaching people that phishing attacks usually rely on creating an emotional response and demonstrating how that works is better than trying to teach them about every iteration of these attacks. It’s like a magic trick. Once you know how the trick operates, it doesn’t matter if the magician uses a playing card or foam ball to do the trick; you can spot the trick.

There are a lot of free tools that are valuable as well. Many of these will support the training. If you teach people not to reuse passwords, while also providing them with a tool, such as a password manager, it will help them be successful. There are free and low-cost versions for any size business.