CyberheistNews Vol 13 #49 | December 5th, 2023
Top Four Security Tips for Cyber Safety on National Computer Security Day
To celebrate National Computer Security Day, which is recognized on November 30 every year, KnowBe4 encourages all IT and security professionals to train their workforce how to stay safe from cybersecurity threats as the organization’s last line of defense.
It is also crucial to focus on building a strong security culture by educating employees about today’s cyber threat landscape and how they can play a role in protecting the organization.
National Computer Security Day is one day aimed to raise awareness and remind society about the importance of protecting both company and personal computer resources in order to prevent the misuse of financial and personal data, and even identity theft. There are many measures that people can take to be more secure and we can all play a part in these efforts year-round.
We have compiled our top four tips for maximum ROI:
- Implement phishing-resistant multi-factor authentication – Cybercriminals have become very good at tricking people into giving up their credentials, especially through fake login pages designed to look like authentic ones. Having an additional factor, such as a code generated from an application on a smartphone, or better yet, a phishing-resistant factor such as a USB security key to prove your identity, can go a long way toward keeping bad actors out of your accounts.
- Patch software in a timely manner – Patching software and firmware can help not only keep cybercriminals from getting into computer systems, but can also keep them from doing more damage in the event they do get in. Do not just patch internet-connected devices, but also the ones inside the network.
- Conduct security awareness training and simulated phishing tests – Educating employees about how to spot email phishing attacks, one of the most successful ways attackers can get into a network, is a critical part of any security program. Conduct training in short sessions on a regular basis, then allow them to test their skills with simulated phishing exercises that provide practice. Do not forget to also educate employees about safe password behaviors and other important security topics.
- Create long and unique passwords or passphrases for each online account – Not only does the length and complexity of passwords matter, but the reuse of passwords is a significant security threat as well. In many breaches, cybercriminals steal usernames and passwords, knowing that they can try these on common websites using free tools, and since people reuse passwords often, the chances of taking over other accounts are good. Making sure passwords are unique and are never reused, especially between personal and work accounts, can help keep accounts secure.
Remember to stay safe today on National Computer Security Day, and every day! KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Blog post with links:
https://blog.knowbe4.com/national-computer-security-day-tips
[New Features] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, December 6, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.
- NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
- NEW! Content Manager lets you easily customize your training content preferences including branding, adjustable passing score, test out and more
- NEW! 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
- Executive Reports helps you create, tailor and deliver advanced executive-level reports
- See the fully automated user provisioning and onboarding
Find out how 65,000+ organizations have mobilized their end-users as their human firewall.
Date/Time: TOMORROW, Wednesday, December 6, @ 2:00 PM (ET)
Save My Spot!
https://info.knowbe4.com/kmsat-demo-3?partnerref=CHN3
The Israel-Hamas Conflict Is the Latest Example of Phishing Attacks Taking Advantage of Current Events
Using something as simple as an attachment with an Israel/Hamas-related filename seems to be all it takes for new social engineering attacks disguised as donation confirmations.
If you were to guess how many new attacks have been launched under the guise of the recent war, it’s probably more than you think. According to security researchers at Check Point Software, they’ve discovered over 15,000 examples of attacks using this theming.
While not the most sophisticated email, it’s the HTML attachment that is the clincher for this attack. According to Check Point, more than 50% of malicious attachments are HTML files. Opening the attachment reveals the following fake “locked” Excel document that requires the victim enter in their Microsoft 365 credentials:
The tactics used in this example are relatively unsophisticated and unimpressive to those that have been paying attention to the evolution of phishing attacks. But it goes to show that all it takes is a user that hasn’t yet undergone new-school security awareness training. Therefore, when your users aren’t vigilant when interacting with such attacks, they could fall for what appears to be one of the lamest modern phishing efforts I’ve seen.
Blog post with links and screen shots:
https://blog.knowbe4.com/israel-hamas-conflict-phishing-attacks
Combatting Rogue URL Tricks: Quickly Identify and Investigate the Latest Phishing Attacks
Everyone knows you shouldn’t click phishy links. But are your end users prepared to quickly identify the trickiest tactics bad actors use before it’s too late? Probably not.
Cybercriminals have moved beyond simple bait and switch domains. They’re now employing a variety of advanced social engineering techniques, like sneaky rogue URLs, to entice your users into clicking and putting your network at risk.
Join Roger A. Grimes, KnowBe4’s Data-Driven Defense Evangelist, for this webinar as he shows you how to become an expert phish finder. He’ll dive deep into the latest techniques and defenses to share:
- Real-life examples of advanced attacks using rogue digital certificates, homograph attacks and more
- Safe forensic methods for examining URLs and other tactics for investigating phishy emails
- Strategies for dissecting URLs on mobile without clicking
- Simple ways you can train your users to scrutinize URLs and keep your network safe
Find out what you need to know to keep your network protected and safe from the latest phishing attacks!
Date/Time: Wednesday, December 13 @ 2:00 PM (ET)
Can’t attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.
Save My Spot!
https://info.knowbe4.com/rogue-phishing-urls-2023?partnerref=CHN
[FUN DEPT] We Asked GPT: “Explain Social Engineering in Gen-Z Slang”
It answered: “Aight, so social engineering is like when someone’s tryna finesse you by playing mind games. They’re not hacking your devices with code and stuff; they’re hacking your brain, ya feel?
Imagine someone sliding into your DMs acting all friendly and stuff, but they’re lowkey tryna scoop up your personal deets or get you to spill the tea on your passwords. They might hit you with a sob story, or act like they’re from some legit company you vibe with, but it’s all cap.
These folks might also flex some wild stories to get you to click on sketchy links, or even catfish you to get that trust level up. It’s all about manipulation, getting you to drop your guard so they can snag what they want, like your login creds, cash, or control over your accounts.
Always double-check who you’re dealing with and don’t hand over your digits or private info just ’cause someone seems chill. That’s how they getcha. Keep your personal biz on lockdown, and don’t let these social engineers play you for a fool.”
The Outstanding ROI of KnowBe4’s Security Awareness Training Platform
One of your important responsibilities is to minimize expensive downtime and prevent data breaches.
Skyrocketing ransomware infections can shut down your network and exfiltrate data. Phishing is responsible for two‑thirds of ransomware infections.
That’s why security awareness training has become a critical component of reducing risk and safeguarding digital assets. Learn how the KnowBe4 security awareness training platform can help you maximize your infosec budget and mitigate risk.
Download this ultimate budget ammo PDF that covers:
- The ongoing problem of social engineering for organizations of all sizes
- The risk and cost of doing nothing to secure the human element of your organization
- The cost savings and risk reduction realized through using KnowBe4 security awareness training platform
Download Now:
https://info.knowbe4.com/en-us/wp-outstanding-roi-knowbe4-sat-platform-kmsat-chn
Quotes of the Week
“I think that’s the single best piece of advice: Constantly think about how you could be doing things better and questioning yourself.”
– Elon Musk – Entrepreneur (*1971)
“Once we believe in ourselves, we can risk curiosity, wonder, spontaneous delight, or any experience that reveals the human spirit.”
– e. e. Cummings – Poet (1894 – 1962)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-49-top-four-security-tips-for-cyber-safety-on-national-computer-security-day
Security News
Users Fall for Smishing Attacks 6-10 Times More Than Email-Based Attacks
With organizations heavily focusing on protecting the corporate endpoint, cybercriminals are switching focus onto mobile devices where users are more prone to fall for their social engineering tactics.
We consume so much content from people you don’t personally know that it’s not part of your everyday process to stop and be critical of what’s being presented to you. And that’s exactly what cybercriminals are taking advantage of.
According to security vendor Zimperium’s 2023 Global Mobile Threat Report, text-based phishing attacks are not only on the rise, but there are examples of how the cybercrime ecosystem is responding to the “need” and making it easier for such attacks to take place.
- Between 2021 and 2022 (the time frame covered in the report), the total number of mobile malware samples detected increased by 51%
- During 2022, an average of 77,000 unique malware samples were discovered each month
- Zimperium detected an average of 2,000 pieces of “zero day” malware weekly
- 80% of phishing sites now either target mobile devices specifically or are designed to function on both mobile and desktops
The reason why this growth is occurring is purely because mobile device users are far more likely to engage with attack content than if they were on a traditional endpoint. Think about the magnitude of the headline of this article; if a user was just 8% likely to click on a malicious link on an endpoint, they are as much as 80% likely to click on the same link when presented on a mobile device. That’s a huge difference!
And with 73% of organizations that experienced a mobile-related compromise described it as a “major” breach, it means that these kinds of attacks are as serious as their endpoint-focused counterparts. And with the heightened risk of user engagement, it’s absolutely necessary that users be enrolled in new-school security awareness training to educate them on the kinds of attacks and social engineering being used, how to spot it, and how to ensure they don’t participate by engaging with the malicious content.
Blog post with links:
https://blog.knowbe4.com/users-fall-smishing-attacks-more-than-email-attacks
Hybrid War Between Hamas and Israel Spreads in Cyberspace
Of the activity that’s been attributed so far in this war, a great deal of it has been traced to Iran.
GPS disruptions affecting commercial flights in the Middle East, particularly over Baghdad, Cairo, and Tel Aviv, have been attributed to jamming centered near Tehran. In a separate incident, the Iranian hacktivist group, Cyber Av3ngers, took control of a water booster station in Aliquippa, Pennsylvania, using a control system from the Israeli company Unitronics. This attack is part of a broader trend of targeting Unitronics PLCs used in various sectors, indicating a significant threat to the industrial control system supply chain.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged water utilities using Unitronics PLCs to implement risk mitigation measures. Cyber Av3ngers previously claimed attacks on Israeli utilities and falsely claimed to compromise the Dorad power station in Israel. The Pennsylvania attack suggests an expansion of the group’s activities beyond Israel.
Another incident involved hacking a Unitronics PLC at a Pittsburgh brewery, displaying the same message as the Aliquippa water system hack. This suggests further attacks on US water systems, though these remain limited.
Researchers have also identified a new strain of SysJoker malware, primarily targeting Israeli entities and aligning with Hamas interests. Initially developed in C++, it has been rewritten in Rust and linked to previous attacks against Israeli infrastructure. This malware is associated with a new APT group called “WildCard,” which engages in social engineering and abuses legitimate cloud services, targeting Israeli sectors like education, IT infrastructure, and possibly electric power generation.
What KnowBe4 Customers Say
“Stu – Good day! My name is Jessi. I am the Director of IT here. We are an internet provider, nice to meet you over email.
I wanted to take a minute and share with you what a fabulous job our Customer Success Manager, Elise B., is doing for us. Every month she meets with us and assists with our Awareness Training, Phishing Campaigns, and overall security posture – all in a 30 min meeting. Her positivity and knowledge of the platform is so appreciated.
I value the role she provides because without her, I am not sure we would get the maximum benefit of the partnership. Anyhow, I just wanted to pass that along and let you know how much we value the KnowBe4 partnership. Happy Holidays!”
– J.B., Director of IT
“Stu, I wanted to email you about one of your employees Ryan T. He has been an absolute pleasure to work with and goes above and beyond the call of duty. He has been on our account a short while and is very responsive, friendly, and helpful.
I just wanted to reach out to you personally and let him know he is a great asset to your team at KnowBe4!”
– D.R., Technical Accounting Manager
The 10 Interesting News Items This Week
Cyberheist ‘Fave’ Links