Monday, April 16, 2018

[Heads-Up] Phishing Scam of the Week: Bad Guys Sink to Scary New Low

[Heads-Up] Phishing Scam of the Week: Bad Guys Sink to Scary New Low
Email not displaying?
View Knowbe4 Blog

CyberheistNews Vol 8 #16   |   April 16th., 2018

[Heads-Up] Phishing Scam of the Week: Bad Guys Sink to Scary New Low 

So, this one is the next new criminal low.

This particular phish spoofs a campus-wide security alert for a community college in Florida.

Given that it appears to be tailored to a particular educational institution and its students and employees, it's a good bet that other educational institutions could see similarly targeted phishing attacks. From there, the campaign will move to other targets.

What makes this particular attack so infuriating is that it exploits current concerns over active shooters on education campuses — a sensitive issue that could likely generate panicked, reflexive clicks from recipients who are already on edge over the recent shooting at Marjory Stoneman Douglas High School — also in Florida.

This social engineering scheme could be easily used against any school system, state and local government, large private corporations (think of the recent mass shooting at YouTube headquarters) — or any organization that is likely to have established active shooter protocols and training in place.

If there is any saving grace with this phish, it lies with the awkward choice of language ("an emergency scare"), which should tip off most users that something is not right with this email. Those for whom English is second language might not pick up on that, though, and students whose native language is not English are quite common on college campuses.

We have seen several variations on this Scam of the Week with the following subject lines:

"IT DESK: Security Alert Reported on Campus" "IT DESK: Campus Emergency Scare" "IT DESK: Security Concern on Campus Earlier"

All three contain embedded links that lead to credentials phishes that spoof Microsoft — a large IT presence on campuses.

It's worth noting that institutions of higher education are at higher risk for phishing attacks generally, as well as ransomware attacks.

I suggest you send this email to your employees, friends and family, whether they are in a college or not. You're welcome to copy/paste/edit: 

"Heads-up. You'd think it could not get any worse, but some bad guys have sunk to a new low. They are now exploiting recent active shooter events on campus to get people panicked and "click-by-reflex" to find out if a loved one is safe.

This same phishing attack could be used against any organization with an active shooter protocol and training in place. If you see emails with titles like: 

  • "IT DESK: Security Alert Reported on Campus"
  • "IT DESK: Campus Emergency Scare"
  • "IT DESK: Security Concern on Campus Earlier"
Please think before you click, and look for any red flags related to a phishing scam. In any case, click on the Phish Alert Button to send this email to IT." 

In this particular case, KnowBe4 is *not* providing pre-made templates to send out. This type of template has what we call a high "runaway risk" meaning recipients will forward the simulated attack to authorities, the police, and/or call 911, causing a potential further escalation, downtime and possible harm.

We do not recommend KnowBe4 customers create this type of template and send it to their users either. Stick with messaging, PSA's, banners, posters and other awareness training methods.

This is the first time in our history that we recommend *not* sending a phishing template when we seen an attack like this.

Here is the blog post with screen shots:

And here is the general press release, intended as a general alert:

Please forward to anyone you think will benefit.

Let's stay safe out there. 

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc
Ransomware, Phishing, and Pretexting in 2018 Verizon Databreach Report

Did you know that according to the new 2018 Verizon report, phishing emails account for 98% of all social engineering related incidents and breaches?

Ransomware and phishing attacks have garnered a great deal of recent attention in the cybersecurity community. As the Verizon Databreach Report has long warned, ransomware is the most common type of malware carried by phishing attacks. It's used in 56% of such incidents.

Ransomware is very effective for criminals. It exposes them to relatively little risk. But even as ransomware surges in criminal use and popularity, there are signs that businesses and local governments aren't investing in appropriate security against it.

Social engineering schemes such as phishing and pretexting are responsible for well over 90% of breaches. The targets of choice are finance and human resource employees. When successful the attackers can collect ransom in the six-figure range. Training users combined with common sense are essential in combating cyberattacks.

It only takes one person to click on a phishing email to put an entire organization at risk. The good news is that 78% of peopled know not to click. But let's try to help that remaining 22% and step them through new-school security awareness training.

Here is the full Verizon report: "Tales of dirty deeds and unscrupulous activities", which by the way, KnowBe4 contributes to with phishing data:
[LIVE Webinar] Levers of Human Deception: The Science and Methodology Behind Social Engineering

No matter how much security technology we purchase, we still face a fundamental security problem: people. This webinar will explore the different levers that social engineers and scam artists pull to make us more likely to do their bidding.

Join Stu Sjouwerman, CEO at KnowBe4, and Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4. We'll provide fun and engaging examples of mental manipulation in everyday life: from the tactics used by oily car dealers, to sophisticated social engineering and online scams.

Additionally, we'll look at how to ethically use the very same levers when educating our users.

Key Takeaways:

  • The Perception vs. Reality dilemma 
  • Understanding the OODA (Observe, Orient, Decide, Act) Loop
  • How social engineers and scam artists achieve their goals by subverting OODA Loop's different components
  • How we can defend ourselves and our organizations 
Date/Time: Wednesday, April 25, 2018, 2:00 pm ET
Register now - limited space available!
Britain Braces for Russian Cyber Warfare Targeting Transport Links, Water Supplies, Hospitals and Airports

The UK Mirror reported that Britain is braced for a wave of crippling cyber attacks in Russian retaliation for the Syrian missile strikes. Here is an excerpt:

"Vital transport links, water supplies, gas networks, banks, hospitals and air traffic control could be targeted following the joint assault on Bashar al-Assad's chemical weapons compounds on Friday night.

Experts believe hackers in Moscow are already trying to break into key computer networks that could bring the UK's infrastructure to a halt. Full story at the KnowBe4 blog:
"I get my audits done in half the time and half the cost".
- Join our Live Demo of KnowBe4's Compliance Manager.

Join us on Tuesday, April 17, 2018, at 2:00 PM (ET) for a 30-minute live product demonstration of KnowBe4's Compliance Manager to see how you can simplify the complexity of getting compliant and ease your burden of staying compliant year-round. 
  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • Ability to build your own templates using our simple custom template feature.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation. 
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.
Finally, an affordable and user-friendly compliance management tool!

See how you can get audits done in half the time at half the cost. Register now: 

Let's stay safe out there. Here is something fun to read if you are traveling to RSA this week. 
Quotes of the Week
"Associate with people who are likely to improve you."
- Lucius Annaeus Seneca - Philosopher, Statesman, Dramatist (5 BC - 65 AD)

"Nothing can now be believed which is seen in a newspaper. Truth itself becomes suspicious by being put into that polluted vehicle. "I will add, that the man who never looks into a newspaper is better informed than he who reads them; inasmuch as he who knows nothing is nearer to truth than he whose mind is filled with falsehoods & errors."
- Thomas Jefferson, 3rd President of the United States from 1801 to 1809

You could say the same thing of the internet these days... 

Thanks for reading CyberheistNews
But if you want to unsubscribe, you can do that right here

You can read CyberheistNews online at our Blog
Security News
Positive Technologies Social Engineering Report: 17 Percent Fall Foul to Attacks

Employees download malicious files, click phishing links, correspond with hackers, and even share contact information for their colleagues.

Positive Technologies has released a new report "Social Engineering: How the Human Factor Puts Your Company at Risk", with statistics on the success rates of social engineering attacks, based on the 10 largest and most illustrative pentesting projects performed for clients in 2016 and 2017.

To verify the security of corporate systems, Positive Technologies testers imitated the actions of hackers by sending emails to employees with links to websites, password entry forms, and attachments. In total, 3,332 messages were sent. If the "attacks" had been real, 17 percent of these messages would have led to a compromise of the employee's workstation and, ultimately, the entire corporate infrastructure. Full story and link to report at the KnowBe4 blog:
[NEW WHITEPAPER] 10 Best Practices for Protecting Against Phishing, Ransomware and Email Fraud

Organizations have been victimized by a wide range of threats and exploits, most notably phishing attacks that have penetrated corporate defenses, targeted email attacks launched from compromised accounts, and sensitive or confidential information accidentally leaked through email.

A survey conducted among corporate decision makers in early 2018 discovered that nearly 28% of organizations had experienced a phishing attack that was successful in infecting their networks. Don't let this happen to your organization.

Download the new Osterman Research white paper, Best Practices for Protecting Against Phishing, Ransomware and Email Fraud, and learn ten best practices you should consider to better protect your systems and network, train your users to be security-aware, and safeguard your organization's sensitive and confidential data from phishing attacks, ransomware, and CEO Fraud.

Get your copy here:
Forum Discussion at Spiceworks: "Are Your Users Human Firewalls or Are They Email Cannon Fodder?"

"This morning as I read through the lists of Phish Alerts my users are sending in this morning, I realize that not every IT guy has end users that actually do this work for them. I will get to what a Phish Alert is in a moment, but this lead me to think how many IT teams are being reactionary to email bound threats.

"Oh I know we all have our Email spam and virus filters. Heck I got two in sequence, but don't you know these danged Phishing emails still get through. Now I know the Spam and Virus firewall needs to be tended, but what about the brand new threats that pop up regularly or the Spear Phishing emails that are being hand customized to your executives?

"Your email filter would be so restrictive you would never get new emails from new potential clients. In fact just got off the phone with a former co-worker whose current employer has been hit by ransomware repeatedly. They clearly don't have a human firewall.

"I don't think we should stop trying to stop the ransomware from coming in, but we do need to train our users so they can be a part of the solution and not part of the problem." Here is the full discussion with lots of comments:
Social Engineering: A Trick as Old as Time

By Joe Gray who is speaking at RSA, April 15-20 in SanFran:

Social engineering is a growing epidemic that can be either an endgame in itself or a stepping stone toward bigger threats such as ransomware. This age-old tactic can be traced back to the Trojan Horse story featured in Virgil's "Aeneid" and Homer's "The Odyssey," from which the malware variant gets its name.

Modern Social Engineering Tactics

Today, social engineering exists in a variety of forms, including phishing, spear phishing, vishing (voice phishing), pretexting (impersonation), whaling (phishing targeting the C-Suite), smishing (SMS phishing) and more.

Of these threats, phishing and spear phishing seem to be the most common. Think of the typical ebb and flow of emails: You might receive legitimate messages, sales pitches, spam and bald-faced phishing attempts throughout the course of a normal day.

Run-of-the-mill phishing emails will likely wind up in your spam folder, but with a little open source intelligence (OSINT), an attacker can develop a pretext to appear at least quasi-legitimate. Full story at SecurityIntelligence:
Social Engineering: It's Time to Patch the Human

You know the phrase. "Social engineering: Because there's no patch for human stupidity." But there absolutely is, says Jayson Street.

"They're not a liability, they're an asset. [Humans] are the biggest intrusion detection system that you're going to get."

Jayson Street, the DEF CON Groups Global Ambassador, and VP of InfoSec for SphereNY, has likely forgotten more about social engineering than some of us have learned over the years working in security.

That's not fluff, he really does live for this stuff.

Our conversation with Street started passively, a simple question asking him about his conference plans this year.

As it turns out, Street has a training class this year at Black Hat in Las Vegas, along with April C. Wright, where the goal is teaching security teams to create human intrusion detection systems. Full story at CSOonline:
Compromised Credentials: An IT or an HR Issue?

Whose fault is it when credentials are compromised? IT or HR? Dow Jones Customer Intelligence on behalf of Centrify recently surveyed eight-hundred executives in the UK and the US on the risk posed by credential compromise.

The results suggest that too many of them think it's basically an HR issue. Worse yet, they tend to underrate the risk credential compromise poses to their organization. Consider that credentials are among the more common targets of social engineering.

Consider also that compromised credentials can enable hostile outsiders to act as if they're trusted insiders. Protecting the organization requires a whole-of-company approach, and the centerpiece of any such approach should be realistic training tailored to your business's needs.

And do explain to your executives what someone who had credentials for your networks could do to you. Global Banking and Finance Review has the story:

Here is a complimentary tool to find out which of your credentials actually *are* compromised:
Not All Polls Are Benign

Phishing personal information is easier than you think. What is your first pet's name? Who was your first-grade teacher? What is your favorite vacation spot? Do these questions sound familiar? They should...many financial institutions use questions like these to set your "secret word," or the answer to the security questions that you can use to unlock your account if you forget a password.

Someone who knows those secrets can use them to gain unfettered access to sensitive and confidential information. Unfortunately, these questions and answers are also found on those innocent looking polls that are all the rage on social media. Lesson learned here: it's better to keep the name of your first pet private because "Fido" or "Sparky" may come back to bite you!

Not that Fido or Sparky would do that, really, but you get the drift. KrebsOnSecurity has the story:
What IT Pros Are Saying About KnowBe4 On Reddit

A Reddit user asked: "I just found this company called KnowBe4 and they claim to be the best at preventing and teaching about social engineering and cyber attacks. They have a complimentary tool that sounds like it sends an email to your employees that tells you if the users clicked on the link. I can't find reviews anyone online saying that they're actually good that don't seem really biased.

If anyone had used this service or used this company before in any means, please tell me what you think about them. If you know of any other tools like this that you used that can show who clicked on what link and record that data, please let me know. Thanks!

Here is what users on Reddit answered:

Now, about online reviews, here are a few sources that are not biased, and vetted before they actually get published. First there is Gartner Peer Insights. You can compare all major (and minor) players in our space here:

Next, Spiceworks, the world largest community of IT pros. They have a reviews section there as well, and "spiceheads" can rate a product from one to five stars:

Third, there is the independent G2 Crowd site, which does reviews of awareness training platforms as well. No one gets rewarded in any way for any of these reviews. You can sort by ratings, company size, user role and user industry:

And here is a Case Studies Page with some videos of existing users, links to the above platforms, and a few non-gated PDFs with Education and Financial Institution case studies: 

And here is a recent email I received:

"Good morning, Stu. Thank you for checking with us! KB4 phishing tests have been very helpful for us to understand our users. Since we deployed, we have been testing our users on weekly basis. The click rate has been decreasing, which is good sign.

We have noticed some users who are always click happy, and our helpdesk team is contacting them to do a one on one training with the users to point what they have missed. Our users also have increased reporting of phishing, which is a good sign they are listening to the IT department.

It creates a nice trust/dialogue relationship between the business and IT. Thank you very much for the service, we appreciate it much!" - K.J. Security Specialist, CISM, CISSP, PCIP 
Interesting News Items This Week
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

No comments:

Post a Comment