CyberheistNews Vol 13 #07  |   February 14th, 2023

[Scam of the Week] The Turkey-Syria Earthquake

Just when you think they cannot sink any lower, criminal internet scum is now exploiting the recent earthquake in Turkey and Syria.

Less than 24 hours after two massive earthquakes claimed the lives of tens of thousands of people, cybercrooks are already piggybacking on the horrible humanitarian crisis. You need to alert your employees, friends and family… again.

Just one example are scammers that pose as representatives from a Ukrainian charity foundation that seeks money to help those affected by the natural disasters that struck in the early hours of Monday.

There are going to be a raft of scams varying from blood drives to pleas for charitable contributions for victims and their families. Unfortunately, this type of scam is the worst kind of phishbait, and it is a very good idea to inoculate people before they get suckered into falling for a scam like this.

I suggest you send the following short alert to as many people as you can. As usual, feel free to edit:

[ALERT] “Lowlife internet scum is trying to benefit from the Turkey-Syria earthquake. The first phishing campaigns have already been sent and more will be coming that try to trick you into clicking on a variety of links about blood drives, charitable donations, or “exclusive” videos.

“Don’t let them shock you into clicking on anything, or open possibly dangerous attachments you did not ask for! Anything you receive about this recent earthquake, be very suspicious. With this topic, think three times before you click. It is very possible that it is a scam, even though it might look legit or was forwarded to you by a friend — be especially careful when it seems to come from someone you know through email, a text or social media postings because their account may be hacked.

“In case you want to donate to charity, go to your usual charity by typing their name in the address bar of your browser and do not click on a link in any email. Remember, these precautions are just as important at the house as in the office, so tell your friends and family.”

It is unfortunate that we continue to have to warn against the bad actors on the internet that use these tragedies for their own benefit. For KnowBe4 customers, we have a few templates with this topic in the Current Events. It’s a good idea to send one to your users this week.

Blog post with links:

Spear Phishing Attacks Increase 127% As Use of Impersonation Skyrockets

Impersonation of users, domains and brands is on the rise, as is the use of malicious links, in response to security vendors improving their ability to detect malicious attachments.

I talk often about the back-and-forth that exists between cybercriminal groups and security vendors. Security solutions improve their detection capabilities, and threat actors work tirelessly to find new ways to evade detection. New data found in GreatHorn’s 2023 State of Email Security report shows that this is exactly what’s been happening in the last 12 months.

Let me paint the picture for you – according to the report, in 2022:

Microsoft and Google have improved their attachment scanning capabilities
Spear phishing increases 127% to focus specific scam themes on specific targets
Executive Impersonation jumps 344% making the attack seemingly come from a trusted source
43% of all potentially dangerous emails are now impersonation emails
All of the top 20 malicious links used were from compromised domains with positive reputation scores to bypass native scanning controls, such as those used by various Google services

In essence, the cybercriminals now realize they can’t really use malicious attachments, so they’re realizing they need to find a balance between great social engineering against targeted victims, use of impersonation, and the use of legitimate sites to host the malicious payload to achieve this next evolution of attacks.

According to GreatHorn, most attacks take between one and four steps to get the victim user to interact with the malicious payload.

This means you have a bunch of users that unwittingly follow a set of unusual and unnecessary clicks that they should know better than to follow – something they learn very quickly if they are enrolled in new-school security awareness training. Attackers will continue to evolve their craft, so your users need to stay up to date on the latest attacks.

Blog post with links:

Thinking Critically About Your Online Behavior

Employees need to adjust their mindsets in order to defend themselves against social engineering attacks, according to Jonathon Watson at Clio. In an article for Dark Reading, Watson explains that security training should emphasize that employees should build habits to follow security practices in their personal and professional lives.

“In addition to mandatory and routine training and security tools, the best way to ensure employees are vigilant about potential risks is to help them reframe their online mindset while encouraging them to leverage critical thinking in evaluating and defending against internal and external threats,” Watson says.

“Helping employees develop a healthier understanding of what’s at stake when they engage online — and the value of the information they interact with once there — can strengthen digital habits and build more mindful, proactive thinking when faced with a threat or even before one occurs.”

Organizations should also have a process for their employees to report suspicious activity.

“When people realize the value of their data, they’re more vigilant and protective of it,” Watson says. “But your employees should also feel encouraged to proactively ask questions about risks and formulate better ways to protect themselves. For example, your teams should have access to and familiarity with a standardized communication plan for when they receive phishing texts or emails.”

This type of training can give your organization an essential layer of defense by giving your employees a healthy sense of suspicion.

“When employees understand how their day-to-day behaviors — no matter how small — can expose sensitive data, they’re less likely to introduce risk in the first place,” Watson writes. “While you strive to train employees on how to protect data in every scenario, building a habit of vigilance reduces the amount of reactive problem-solving required in the first place.

“Improving your employees’ fundamental understanding and respect for the value of data shields your organization from digital threats. But without reinforcing this understanding through ongoing mindset shifts, the status quo and security theater of repetitive privacy notifications will make employees feel more complacent.”

New-school security awareness training enables your employees to follow security best practices so they can thwart social engineering attacks.

Blog post with links:

Check out this new Buyer's Guide: Using SOAR in Your Automated Incident Response Plan:

Do Not Fall Victim to Cyber Attacks – Find Out What the Latest Hiscox Report Reveals!

By Javvad Malik

Insurance provider Hiscox has published its fifth annual cyber readiness report, which has some eye-opening statistics.

Over the last five years, the percentage of companies that have been attacked has bounced around from 43% to a high of 61%, making it the most common threat for U.K. businesses.

Company size does not matter, as even companies with annual profits of $100,000 to $500,000 are experiencing as many cyber attacks as those that earn $1m to $9m – making cyber threat prevention all the more important.

As is to be expected, the COVID-19 pandemic has only made the situation worse, with 36% of businesses citing remote working as a risk factor. The reports show that ransomware incidents have increased from 17% to 19%, often spread through phishing emails and malware.

The Financial Services and TMT (Technology, Media, and Telecom) industries have been in the top spots for reporting at least one cyber attack for the last three years, with Energy also appearing in the top three for the last two years.

An interesting part of the report is what organizations invested in after a cyber attack. Around two out of five experts said they had put additional cybersecurity and audit requirements in place (41%), stepped-up employee training (39%) and improved preparations for cyber attacks (39%).

It is clear that phishing emails are a major cause of security incidents, and many organizations are investing in new-school security awareness training after the fact. But why not take a proactive approach and focus on building a strong cybersecurity culture from the start? Doing so can help lessen the chances of a successful attack and save you from costly incidents down the line.

Blog post with links:

Your Untrained Users Are Opening BEC Emails at High Rates

Researchers at Abnormal Security have found that 28% of business email compromise (BEC) attacks are opened by users, and 15% are replied to. Sales employees had the highest rate of open rates due to their vendor- and customer-facing roles.

“It’s not surprising to see that employees in sales-oriented roles are more likely to read and respond to malicious emails,” the researchers write. “These positions rely heavily on email correspondence, are usually among the most public-facing in an organization, and often involve interacting with a variety of different departments and vendors—not to mention customers.

“Additionally, the roles are traditionally commission-based, which means employees are financially motivated to be helpful, respond to inquiries quickly, and resolve issues promptly.”

The researchers also found that only 2% of malicious emails are reported by employees. “Some employees may believe that as long as they don’t engage with the attacker, they have fulfilled their obligation to the organization,” the researchers write. “But security professionals know that opting to just delete the email without reporting it can be almost as damaging since it eliminates the opportunity for the security team to warn other employees about the attack.

“Employees need to understand that a message that they immediately recognize as a phishing attack or attempted invoice fraud may not raise any red flags for a colleague. And if they don’t report it, the threat actor can move on to their next target.

“The report notes that large organizations are more likely to be targeted by supply chain BEC attacks. While the likelihood of any organization being targeted by a supply chain compromise attack has risen over time, we saw a notable increase in the second half of 2022,” the researchers write.

“For an organization with 5,000-10,000 employees, the probability of experiencing an attack grew by 26%, from 53% to 67%, between Q3 and Q4. Similarly, for an organization with more than 10,000 employees, the likelihood jumped by 22%, from 57% to 70%.

“Because threat actors know that companies are closing out their books at the end of the year, they tend to ramp up their attacks at the start of Q4. This is likely due to the fact that not only do organizations tend to be busier and thus more distracted, but there is also typically an increase in legitimate financial requests during this time period.”

New-school security awareness training can enable your employees to follow security best practices so they can thwart social engineering attacks.

Abnormal Security has the story:

The 10 Interesting News Items This Week

Foreign states already using ChatGPT maliciously, U.K. IT leaders believe:

New cybersecurity data reveals persistent social engineering vulnerabilities:

U.S., U.K. Sanction 7 Russians for Running Infamous Trickbot Malware:

U.K. Politician’s Email Hacked by Suspected Russian Threat Actors:

Upcoming Hulu Series on the mystery of the Ashley Madison Breach. This should be interesting:

Microsoft accuses Iran’s government of operation against Charlie Hebdo:

Russian hackers using new Graphiron information stealer in Ukraine:

Russian man pleads guilty to laundering Ryuk ransomware money:

Customizable new DDoS service already appears to have fans among pro-Russia hacking groups:

Supply Chain Attack by New Malicious Python Package, “web3-essential”:

